How to report a security vulnerability to an organization
Finding a new vulnerability is exciting and, depending on the vulnerability and organization, can be lucrative. However, finding the vulnerability is only part of the process.
Reporting a vulnerability to a vendor can be difficult. Some vendors are not set up to receive vulnerability reports, and they may not be receptive to hearing about issues with their software. However, reporting vulnerabilities is vital to getting a patch created and deployed.
Learn Vulnerability Management
Finding the right contact
Sometimes, when reporting a security vulnerability to an organization, finding the right person to talk to is the biggest challenge. Not all companies have taken the time to set up a method for ethical hackers to reach out and securely report potential security issues to them.
When looking for a point of contact, some places to check include:
- Bug bounty program: if an organization has set up a bug bounty program, this is the appropriate place to report any discovered vulnerabilities. A bug bounty program will include a means of securely contacting the right team, rules of engagement and potentially the opportunity for a reward. However, it is important to read and follow the program's rules carefully, especially what is and is not considered "in scope."
- Security.txt file: like the robots.txt file for web crawlers, some organizations have started creating a security.txt file for security researchers. If it exists, this file will contain the contact information for the appropriate point of contact within the organization. The file should be located at https://<URL>/.well-known/security.txt
- Contact information: many companies have a “Contact Us” form on their website or other contact information for their customers. Reach out this way explaining that you’ve discovered a potential security issue and would like to contact the IT or security team. However, don’t provide details at this point in case the message falls into the wrong hands.
- Domain registration: The domain registration for a website may include contact details of employees inside the company, potentially including the webmaster’s email address. This can be a starting point for finding the appropriate team within the organization.
- Contact CERT: If you can’t find the right person within an organization or aren’t responding, contacting your CERT is another option for vulnerability reporting. Organizations like US-CERT can help with establishing contact with vendors for vulnerability reporting.
Reporting the vulnerability
Once you contact the appropriate person, you can send over a full report of the vulnerability. This should be done over an end-to-end encrypted messaging system, such as OpenPGP. Many organizations will include a PGP key with their security contact information.
A vulnerability report should include as much information as possible about the vulnerability you discovered. Key information includes:
- Affected software: list the names and version numbers of all software you know or believe will be impacted by the vulnerability.
- Vulnerability description: describe the discovered vulnerability as completely as possible, including the type, location and how it can be exploited. If possible, include the potential severity of the vulnerability and a description of how an attacker could potentially exploit it.
- Exploit: if possible, include a proof of concept (PoC) or a description of how the vulnerability can be exploited. This will help the vendor validate the vulnerability report and test any proposed patches.
After generating a report, send it to your contact using a secure channel. Be sure to only communicate details with the affected vendor and over the secure channel. Once the report is received and reviewed, the contact may ask for more information.
Often, vendors will allow a public write-up of a vulnerability by the security researcher who discovered it after it is no longer a threat. After you've received permission (and potentially had a post reviewed by the company), you can publicize your discovery. Keep it secret to help protect the details from leaking and being exploited until then.
Learn Vulnerability Management
Legal considerations for vulnerability reporting
One of the biggest concerns about vulnerability reporting is the potential for legal action against ethical hackers by the vendors they report to. Laws about ethical hacking vary from one jurisdiction to another, so it is important to check local regulations.
In the U.S., the Computer Fraud and Abuse Act (CFAA) used to be a cause of concern due to vendors' vague wording and attempts to use it to block security research. However, in 2021, the Supreme Court case Van Buren vs. United States refined the interpretation of the law to better achieve its goal of targeting criminals without sweeping up well-intentioned security researchers.
Sources
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- How to report a security vulnerability to an organization
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
