[tcd]

Just drop a line on twitter saying you've discovered a vulnerability in $popularSoftware and mention $company. Say you'll be disclosing in 90 days if $company doesn't issue a reply publicly.

Make sure to deal with an actual human and that everything is done according to best practice. You may even get publicity this way and even if it's unethical it can be sold or used to your advantage.

If they care, trust me when I say they will make an effort. Most places (like Google) have effective systems in place for dealing with such queries.

[DyslexicAtheist]

> even if it's unethical

it wouldn't even be unethical. responsible disclosure starts with engaging with company at eye-level. all that these bug bounty platforms do is take away exactly this power and allow the company to consolidate the contract to a single entity (e.g. preferred supplier). they deserve even less respect than any shady recruiter or typical outsourcing sweat-shop.

giving these people power is like talking to a cop without a lawyer - regardless of what they say, they don't have your interest in mind and you have lost before the game has even started.

[vntok]

> Say you'll be disclosing in 90 days if $company doesn't issue a reply publicly.

That's blackmail. An expedient way of getting your door breached.

[thoraway1010]

The idea that your would get a no knock forcible entry for disclosing a bug is appalling and potentially an indictment of our entire criminal justice system.

I'm assuming vntok's legal conclusion and claim of the type of law enforcement response is true (please do not make things up on hackernews).

In which case my former support for the police and low and order is SERIOUSLY diminished.

You have a non-violent offense, that is not an actual offense, and they are doing swat door breaches on you. wow! The priorities of these companies and law enforcement is backwards then.

I guess folks are being told to just sell it to a zero day vendor (which also happens to work for the same govt agency that will bust down your door if you disclose publicly). Pretty appalling behavior here!

[vntok]

"Hey, @WhiteHouse, while interacting with your systems with the intent to find security flaws and obtain unauthorized access (I wrote scanners and tools and payloads so you know I really wanted to succeed here), I've found a security flaw that allows me to launch nuclear warheads from my garage in Misouri. I will publish this info online if you don't meet my demands. You have less than a month to comply."

Yeah, that kind of bullshit won't fly in any sane criminal justice system. Now replace "launch nukes" with "download every movie you're working on" or "flash-crashing the stocks market at any time", you'll see that the argument doesn't change: it doesn't fly anywhere.

[kbenson]

No, the disclosure is disconnected from payment, so it's not blackmail. Notifying companies is a courtesy, and considered good form. Companies offering rewards is to incentivize this behavior. Researchers releasing vulnerabilities after a time period no matter what is to incentivize companies to actually fix the problems (not just pay to shut up the researcher). Both are useful for a well functioning system of independent researchers finding vulnerabilities in companies that then get fixed.

Releasing the vulnerability because you weren't paid, regardless of whatever timelines you would have followed? That's blackmail. I imagine having a very clear and consistent policy as a researcher that is not based on money (but can be based on company participation and whether they seem like they are actually trying to fix the problem) will go a long way towards clearing you of any suspicion of blackmail.

[vntok]

That is false. In many jurisdictions, blackmail does not require a financial transaction, merely obtaining something deemed valuable by the blackmailer in exchange for keeping the blackmailee's information private. See [1] for the US:

Whoever, under a threat of informing, or as a consideration for not informing, against any violation of any law of the United States, demands or receives any money or other valuable thing, shall be fined under this title or imprisoned not more than one year, or both.

In cases like this one, "bragging rights" are easy to prove as deemed valuable by the blackmailer: they can bring anything from job prospects to donations from activists to free beers at Blackhat.

[1] https://www.law.cornell.edu/uscode/text/18/873

[kbenson]

> merely obtaining something deemed valuable by the blackmailer in exchange for keeping the blackmailee's information private.

Exactly. That's why if you have a policy about when the information goes public which is entirely independent of any benefits provided by the company in question, it's not blackmail.

You're not saying "unless you give me X benefit I do Y", you're saying "I'm doing Y at Z date, but I may extend that if you show you're working on the problem." which isn't a benefit to you specifically, but to those affected. As long as you make sure any benefit to yourself is removed from that decision, I imagine blackmail would be very hard to prove.

Bragging rights aren't really the company's to give, since you have the information and will be making it public, unless someone else beat you to it. In that case, going live early unless the company says you found it does impart a real benefit to you that you extracted from the company. That's not what I viewed this thread as about though. Saying you'll release the vulnerability you were already going to release (if you had a clear policy applied consistently) is not so much a threat as giving the company an appropriate chance to respond.

I agree in the case of private companies with little or no public component it does get less clear cut. I'm not sure what those would be though.

[balls187]

In the US, Blackmail requires a benefit in exchange for not disclosing information.

A public reply isn't much of a benefit, and my understanding is that the vulnerabilities will be disclosed eventually within a reasonably limited timeframe.

[hmage]

Google Project Zero is doing exactly that -- disclosing them in 90 days no matter if they're fixed or not.

This kind of pressure is helpful, because otherwise stories of OP will be dominant and security problems will stay unpatched.

[bllguo]

but do they trumpet on twitter that they have an exploit and will release it in 90 days?

that's the difference

[driverdan]

They have a public issue tracker (issues are withheld from public for 90 days): https://bugs.chromium.org/p/project-zero/issues/list

and a blog: https://googleprojectzero.blogspot.com/

and a Github org: https://github.com/googleprojectzero

and their members do tweet about their findings on their personal accounts.

But no, they don't have an official Twitter account.

[_jal]

A lovely example of why one shouldn't take legal advice from message boards.

But I would say that if you're doing this sort of thing for the first time, I would strongly advise you to talk to a lawyer who knows this corner of the law, and to someone who has done this before.

Smarts do not substitute for experience and domain-specific knowledge.

[gruez]

That's similar to how project zero (by google) works. Exploits get released in 90 days unless the developers can provide a plausible justification why that deadline can't be reached.