1/ Today, the Indian “we are 20 years old but we are Infosec pros, you are a shame and we will explain you what security is" gang is accusing me of stealing bugs.
I guess it's time to explain again my process when it comes to vulnerability disclosure
I guess it's time to explain again my process when it comes to vulnerability disclosure
2/ Sometimes, during my research I find security issues. Sometimes, people send me tips by DM.
In the 2 cases the process is the same.
In the 2 cases the process is the same.
3/ When people send me a tip, my questions are always:
1) Who is affected?
2) What is the issue?
3) Can you access sensitive data?
4) Can I reproduce the issue?
5) Did you try to contact them?
6) Do you want to stay anonymous?
1) Who is affected?
2) What is the issue?
3) Can you access sensitive data?
4) Can I reproduce the issue?
5) Did you try to contact them?
6) Do you want to stay anonymous?
4/ If I cannot verify the claims or if I feel the person wants his 2 seconds of fame, I end the conversation.
If the person didn't contact the concerned company, I suggest him to contact them (by email, phone call, whatever) and keep me updated if nothing happen
If the person didn't contact the concerned company, I suggest him to contact them (by email, phone call, whatever) and keep me updated if nothing happen
5/ If the company has a bug bounty program, I suggest him to create a bug to them. He deserves his money.
If the issue is clearly not as big as he thinks, I'm trying nicely to tell him.
If the issue is clearly not as big as he thinks, I'm trying nicely to tell him.
6/ If I can reproduce the issue, if the person is not a young excited kiddo, if he tried to contact them multiple times, if the issue is serious, I write my very vague tweet "Hi XXX, you have a security issue..."
7/ If the company fix the issue, I write a follow up tweet explaining what the issue was: "The issue was...". Obviously I add the credits to the original finder, if he doesn't want to stay anonymous. If he wants to stay anonymous, I don't add credits.
8/ But, most of the times, company are not responding. So, yep I'm not writing this follow up tweet. Sometimes, they fix it silently without telling anyone. I'm not spending my life verifying if the issues are still here. I'm handling too much issues at the same time.
9/ My process is far from being perfect. So why are you using it?
Because it's quite effective and with it, we managed to fix hundreds of issues. Give me a process with the same results and I will use it, no problem
Because it's quite effective and with it, we managed to fix hundreds of issues. Give me a process with the same results and I will use it, no problem
10/ Do I make mistakes?
F*ck yeah. I'm sorry, if you wanted to be credited, if I didn't answer to your DM. I'm handling a lot of things at the same time, I'm receiving hundred of messages per day, so yep it's complicated to be everywhere.
F*ck yeah. I'm sorry, if you wanted to be credited, if I didn't answer to your DM. I'm handling a lot of things at the same time, I'm receiving hundred of messages per day, so yep it's complicated to be everywhere.
12/ These youngs kids are obsess by "the fame", by having a lot of CVEs, finding the most complicated security issue of the world, the number of followers on social networks.
You don't know how much I don't care. I only care about fixing issues.
You don't know how much I don't care. I only care about fixing issues.
13/ This dick challenge is the reason why our community is toxic. I don't find complicated bugs, I don't pretend to know everything. I'm trying to find bugs with a big impact. I'm very proud to find stupid bugs (technically speaking) with an insane impact
14/ So, continue your challenge alone, I'll be in the background trying to push companies to fix their sh*t.
15/ Worth saying, I do this work for free. I never ask money to company during the process
