Some months I reported "HTTP request smuggling" vulnerabilities to various VDPs.
All of them fixed the issue in the meantime. There was one interesting exception which taught me how careful you have to act, even with VDPs: A German company which is described like this
All of them fixed the issue in the meantime. There was one interesting exception which taught me how careful you have to act, even with VDPs: A German company which is described like this
When I found the first issue with this company, I publicly asked on where and how to report.
It didn't take long till I got a direct contact and was directed to a private VDP on the major bounty platform. I agreed to use it (which meant NDA) because my contact was trustworthy
It didn't take long till I got a direct contact and was directed to a private VDP on the major bounty platform. I agreed to use it (which meant NDA) because my contact was trustworthy
The report was pending for about two weeks (no managed program). During this time I started to work out related issues in other public web pages from the same company, when the initial report was closed as "not being applicable" without any explanation.
I ultimately asked if I'm allowed to use thus statement for a disclosure of similar findings (which I had not reported yet). I failed communication wise, as I combined my question with a ridiculous 1 hour deadline (yes, I was a bit emotional).
Expectedly I was reminded in the...
Expectedly I was reminded in the...
Terms of Service I agreed with (which imo served as NDA in this case).
The fun thing about this reminder: It also stated that a team was working on a fix for this issue (which was not applicable, right?????).
After some back and forth, I had a TelCo with the ...
The fun thing about this reminder: It also stated that a team was working on a fix for this issue (which was not applicable, right?????).
After some back and forth, I had a TelCo with the ...
... Heads of Security Operations of said Company. Beside sorting out all issues which happened communication wise, we agreed to don't take further actions on both ends, till the report is reviewed independently by a moderator from the bounty platform (this option was not ...
... available before, my case was basically the kickoff to use bounty platform provided triage and communication support, as I was told).
After more than TWO MONTHS a "communication specialist" from the bounty platform reached out to me.
While he admitted that it took a long...
After more than TWO MONTHS a "communication specialist" from the bounty platform reached out to me.
While he admitted that it took a long...
time, I still wrote an extensive answer covering everything what was done communication wise and including a clear statement that the reported issues still exist and the provided Proof-of-Concepts are still working. In addition I asked how I should interpret the offer to ...
"reset communication" (delete the dialogs and leave the still working PoCs untouched? Rewriting the report?)
It took another two weeks till I received the following reply:
It took another two weeks till I received the following reply:
To sum up:
- vulnerabilities unpatched
- customers not informed
- I'm not allowed to talk about in detail
- involved communication partners on company end seem to be subject of "change ... in organisation"
- vulnerabilities unpatched
- customers not informed
- I'm not allowed to talk about in detail
- involved communication partners on company end seem to be subject of "change ... in organisation"
@threadreaderapp unroll
