How to report a security vulnerability to an organization
Finding a new vulnerability is exciting and, depending on the vulnerability and organization, can be lucrative. However, finding the vulnerability is only part of the process.
Reporting a vulnerability to a vendor can be difficult. Some vendors are not set up to receive vulnerability reports, and they may not be receptive to hearing about issues with their software. However, reporting vulnerabilities is vital to getting a patch created and deployed.
Finding the right contact
Sometimes, when reporting a security vulnerability to an organization, finding the right person to talk to is the biggest challenge. Not all companies have taken the time to set up a method for ethical hackers to reach out and securely report potential security issues to them.
When looking for a point of contact, some places to check include:
- Bug bounty program: if an organization has set up a bug bounty program, this is the appropriate place to report any discovered vulnerabilities. A bug bounty program will include a means of securely contacting the right team, rules of engagement and potentially the opportunity for a reward. However, it is important to read and follow the program’s rules carefully, especially what is and is not considered “in scope.”
- Security.txt file: like the robots.txt file for web crawlers, some organizations have started creating a security.txt file for security researchers. If it exists, this file will contain the contact information for the appropriate point of contact within the organization. The file should be located at https://<URL>/.well-known/security.txt
- Contact information: many companies have a “Contact Us” form on their website or other contact information for their customers. Reach out this way explaining that you’ve discovered a potential security issue and would like to contact the IT or security team. However, don’t provide details at this point in case the message falls into the wrong hands.
- Domain registration: The domain registration for a website may include contact details of employees inside the company, potentially including the webmaster’s email address. This can be a starting point for finding the appropriate team within the organization.
- Contact CERT: If you can’t find the right person within an organization or aren’t responding, contacting your CERT is another option for vulnerability reporting. Organizations like US-CERT can help with establishing contact with vendors for vulnerability reporting.
Reporting the vulnerability
Once you contact the appropriate person, you can send over a full report of the vulnerability. This should be done over an end-to-end encrypted messaging system, such as OpenPGP. Many organizations will include a PGP key with their security contact information.
A vulnerability report should include as much information as possible about the vulnerability you discovered. Key information includes:
- Affected software: list the names and version numbers of all software you know or believe will be impacted by the vulnerability.
- Vulnerability description: describe the discovered vulnerability as completely as possible, including the type, location and how it can be exploited. If possible, include the potential severity of the vulnerability and a description of how an attacker could potentially exploit it.
- Exploit: if possible, include a proof of concept (PoC) or a description of how the vulnerability can be exploited. This will help the vendor validate the vulnerability report and test any proposed patches.
After generating a report, send it to your contact using a secure channel. Be sure to only communicate details with the affected vendor and over the secure channel. Once the report is received and reviewed, the contact may ask for more information.
Often, vendors will allow a public write-up of a vulnerability by the security researcher who discovered it after it is no longer a threat. After you’ve received permission (and potentially had a post reviewed by the company), you can publicize your discovery. Keep it secret to help protect the details from leaking and being exploited until then.
Legal considerations for vulnerability reporting
One of the biggest concerns about vulnerability reporting is the potential for legal action against ethical hackers by the vendors they report to. Laws about ethical hacking vary from one jurisdiction to another, so it is important to check local regulations.
In the U.S., the Computer Fraud and Abuse Act (CFAA) used to be a cause of concern due to vendors’ vague wording and attempts to use it to block security research. However, in 2021, the Supreme Court case Van Buren vs. United States refined the interpretation of the law to better achieve its goal of targeting criminals without sweeping up well-intentioned security researchers.