I recently discovered a vulnerability for the first time. I found the product's security contact and sent some information. Ideally they will respond acknowledging the issue and provide a timeline for a patch.
What if that doesn't happen? How long is appropriate to wait before following up? When do you promise public disclosure? What if they disagree that it is a vulnerability?
Is there a guide for reporting vulnerabilities somewhere? I thought I'd be able to find one but I wasn't able to. A resource like that would be handy.
Oldest comments (5)
There’s a limit of responsible disclosure, I usually do 90 days after report. Make sure you do numerous follow ups if they fail to respond and inform them you’ll be disclosing in 90 days if they fail to provide a patch.
If they disagree it’s a vulnerability, then let the internet decide in your public disclosure.
Troy Hunt, a well known security expert, as several articles about responsible disclosure, just google with this term
site:troyhunt.com responsible disclosureand see the several articles he have about it.I like Troy Hunt and read his site regularly. He's one reason I'm interested in infosec. However the articles on his site seem to be all about "how not to handle disclosure the completely horribly most very wrong way as a company", and not so much about the reporting side.
Isn't that company on a Bug Bounty?
Is there a security part in its website to communicate with them using their PGP key?
If so, be careful about what you are doing. Some companies are prone to prosecute you based of this kind of behavior (and the Internet is not going to help on that).