You asked, so I'll deliver. This is what I know about responsible disclosure/#CVD/how to report security issues in other people’s software. Call it "10 Commandments of Durson" if you want. 🧵
1. Be verbose - more info is better. Don't assume that anyone will know what you're reporting from context. Include as many details and as much background as possible in your report.
2. Produce - *and provide* - a proof of concept which bears out your assertions. Any decent incident responder will be fine reading a 10 page description of your findings. But if they can't reproduce them, they can't help you.
3. Be prepared for disappointment. Bug hunting is hard, painful, irritating work which may be thrown away as "known issue" or "won't fix" or "accepted risk". It happens - and it's not personal.
4. That being said: If you disagree with such assessments, fight for yourself - everyone is wrong sometimes. Push back with evidence.
5. Being rewarded is nice, but not mandatory. Bounties are at the receiving party's discretion. Be prepared to not receive anything - it'll make the first bounty feel SO MUCH BETTER.
6. Badgering or threatening vendors to extract a reward isn't responsible disclosure - it's extortion. Be nice.
7. If you're confident in your findings, include a *disclosure date* in your report and be upfront about your disclosure plan (blog/tweet/other). This keeps everyone on the same page and helps the responding party determine the scope/pace of their work.
9. Operate with good intentions in mind. You're hacking on other people’s stuff - treat it with respect. If your targets publish rules of engagement, follow them to the letter.
10. Above all, have some fun. Get to know the teams you report stuff to - we love making new friends :)
Coda: thanks to @samuelkarp for proofreading!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
