| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by rvnx 703 days ago

You've noticed an issue.

You let the manufacturer know, and you let them decide for the next steps.

No ultimatum to threaten to disclose to the public or to ruin their reputation, it's not your business.

In the meantime, you keep it for yourself.

You helped: no lawyers, no problems.

If really there is a safety issue, after a reasonable period of time you can inform the regulators, as it is their job to assess safety.

This is responsible disclosure, not TMZ-style public-shaming.

2 comments

qual 703 days ago

You're presenting this as if its a new idea, but the security industry tried the above (for the majority of the time that "computer security" has been a thing) and... it didn't work! That's the whole reason public disclosure came about in the first place -- there's quite a rich history there if you're interested.

Some other thoughts:

>You let the manufacturer know, and you let them decide for the next steps.

Which, as history has proven, the "next steps" is generally to sweep it under the rug and to be forgotten about until it's exploited by a bad actor.

>it's not your business

But, what about when it is? On-topic: I drive a car, so I care about vulnerabilities in traffic lights and they may directly affect me. It's also my business if my personal data is stolen, or my identity, or corporate data, etc.

>You helped: no lawyers, no problems.

No problems... Until the vulnerability is exploited and it causes me a problem.

EvanAnderson 703 days ago

> No ultimatum to threaten to disclose to the public or to ruin their reputation, it's not your business.

I found an authentication bypass in a door card access controller. Per the installer I was working with the units are regularly exposed directly to the Internet. (Heck, the installer was trying to cajole my Customer into doing it for "remote support" reasons.)

Given that there's an impact to the public-- albeit not necessarily directly safety-related-- I think this kind of vulnerability is still "my business".

If I owned one of these controllers and it was "protecting" my property I'd want to know.

(Fun aside: The installer went so far as to suggest that because their other Customers expose these units to the Internet-- particularly a small bank who is "audited" for "security"-- it would be okay if my Customer did it. Needless to say, my Customer did not. I let my Customer know about the auth. bypass and we kept the unit locked down in a VLAN w/ a restrictive ACL, but I never publicly disclosed... too afraid of hostile response from the vendor. Eventually a researcher did find it and disclose it publicly, at least...)