DISQUS

Matasano Chargen: Vulnerability Reporting in a Web 2.0 World

  • Daniel · 2 years ago
    Web 2.0 + Security was like DotCom + Logic, they aren't mean't to be :)
  • chrisw · 2 years ago
    What we need is disclosure 2.0 guidelines for web 2.0 software. Dave did the right thing by informing the software company. The software company did the wrong thing by treating this as a bug. Perhaps there should be a "hall of web 2.0 shame" for companies that don't fix vulnerabilities reported to them in a timely way.

    Perhaps we need a place where researchers like Dave can submit a posting saying they have informed Vendor X of Vulnerability Y on Date Z with CVSS score of A. Then Vendor X can get this taken off the list by saying they fixed it. If it wasn't really fixed Dave can inform the list and it goes back on. Use web 2.0 to police web 2.0.

    -Chris
  • magnus · 2 years ago
    At least they didn't take you to court... yet. ;-)
  • Jordan Wiens · 2 years ago
    I notified a website back in October that they had multiple serious security flaws. Including some really stupid ones -- among them, "authentication" resulted in you getting a cookie set to your username -- change the cookie, become another user.

    Their response was along the lines of "oops, yeah, we should totally fix that!". I followed up two months later, never heard back and forgot about it until now. Checked again, and they're still vulnerable.

    *sigh*
  • Dan Weber · 2 years ago
    Unlike software companies, I'm really paranoid about reporting vulnerabilities to websites. The best you can reasonably hope for is that they won't try to sue. :(

    This is maybe about where software companies were 15 or 20 years ago.
  • Thomas Ptacek · 2 years ago
    This company didn't treat the vuln report as a bug. They treated it as a FEATURE REQUEST.
  • dre · 2 years ago
    secure software contracts annexes based on owasp/mitre/wasc/samate/sans-ssi (probably in that order) certifications are the future of web 2.0 b2b.

    unfortunately, only sans-ssi exists right now, although owasp has this:
    http://www.owasp.org/index.php/OWASP_Secure_Sof...
    and mark curphey got like $200k to work on a project called "owasp ceritification" a few weeks ago which he claims will replace pci. pci-dss and texas are going to hell in a handbasket as they well should.

    i talked about this at chisec last night
  • LonerVamp · 2 years ago
    I think some Web 2.0 companies have not transitioned internally from being short-sighted to longer-sighted. In the short term, unless you're actually selling security, the impetus is to get the product viable and functional. Security just can't be a cost or detractor from that. Longer-term, devels can start thinking about security and doing things the right way, once a little bit more of their future is "secured." (Pun intended!)

    Others just like to build things...maintenance (and beefing up security) are sometimes not what they want to do. :\

    Not saying that's right, but...damnit... :)
  • Ryan Russell · 2 years ago
    Those of us who tend a little more towards the punitive end of the spectrum would tend to say that at this point, you name the company (if not the vuln.)

    Yay! Free education for everybody...

    (Or perhaps in your subtlety, you're going to point them at this entry and ask nicely one more time... if so, where's the hash of your advisory?)
  • Thomas Ptacek · 2 years ago
    They could get vindictive and kick us off their application! No thanks!
  • Ryan Russell · 2 years ago
    Picking functionality over security there, Tom? ;)
  • stacy · 2 years ago
    So maybe you should "vote with your wallet" and look for an alternative application.

    If you don't consider the vulnerability serious enough to not use the application, why should they think it is serious enough to expend resources to fix?
  • Dave G. · 2 years ago
    stacy:

    In this situation, I dont think the cost of one customer is going to motivate anyone. Besides, not using products and services everytime there is a security issue that isn't resolved to my satisfaction would basically cause me to stop using computers. :)
  • Money and lawyers · 2 years ago
    Try contacting their funding source or, better yet, their lawyers. These days, those folks understand the words "risk to brand", etc.