| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by capt8bit 3997 days ago

> My comment was supposed to be an addendum but I failed by nitpicking and questioning your interpretation. I'm sorry.

Well, I appreciate you pointing out where I was vague. You provided, and brought about, some important clarification.

> Which channel are you using as a first contact ?

It takes quite a bit of effort to make a nice writeup for an identified vulnerability, and hunt down where to send it. Generally, someone willing to take the time to be nice and send in a detailed report, is willing to look for the best channel to send information through.

I start by looking through the "About" and "Contact" pages of the web application or service that I found the vulnerability on. If they have a reference to a bug tracking system, a system administrator, or a security contact, I send it there. If they are all emails, I usually send a message to all of them, to make sure that someone receives it.(If I don't know who is going to get the message, I am initially vague on the vulnerability, and ask for a technical contact to forward the technical information to.) Otherwise, I look at whois information to see if there is a good technical contact. If I still haven't found a good contact, I send a message to all of the emails listed in the RFPolicy. If all of those messages bounce, I send a message to any email address I can find for the domain. And once, I even called in to a sales line after all of this, and explained the situation. They got me in contact with "Bob the website guy", to take care of the issue.

I have never received a bounty for any of these. I just want to do my best to make sure it gets taken care of.

> Would it be enough for me as a saas supplier to monitor security@myservice.com ?

I think this would be a good backup plan. Probably safe to add forwards for all the RFPolicy emails.

> I must admit I'm bit afraid by a cleartext channel for this kind of disclosure. Would you have some recommandations for the receiving part of the vulnerability ?

My recommendation would be to make it easy and clear to find how you would prefer to receive notices. If you include your PGP key on your contact page with a message that all security reports should be encrypted, most I know are willing to do so. If you prefer them to send it via an HTTPS "Contact" page, say so, and most will see that and send it via that channel. Just like your saas, if you make it intuitive and useful, they will be happy to use it.