Re: failure notice

[Nikola Milosevic <nikola.milosevic86 () gmail com>]

Well I believe the right answer is nothing. If you publicly disclose it,
you are risking being sued.

It is ethically to disclose it to them, as you did it. However, company is
not liable of giving you price or even do anything about the vulnerability
(I guess until it is too late). They don't even need to write you thank you
mail. It is good practise to do something about, and even to give price to
motivate such researches and harden their security, but no one forces them
to do so.

I know not receiving answer is quite disappointing, but I don't think you
have any other "right" option for reacting to that.

Best regards,

Nikola Milošević


On 25 July 2014 16:21,  <MAILER-DAEMON () lists securityfocus com> wrote:
> Hi. This is the qmail-send program at lists.securityfocus.com.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
>
> <pen-test () lists securityfocus com>:
> ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3)
>
> --- Below this line is a copy of the message.
>
> Return-Path: <nikola.milosevic86 () gmail com>
> Received: (qmail 14541 invoked from network); 25 Jul 2014 15:21:58 -0000
> Received: from sf01mail1.securityfocus.com (HELO mail.securityfocus.com) (192.168.120.35)
>   by lists.securityfocus.com with SMTP; 25 Jul 2014 15:21:58 -0000
> Received: (qmail 31663 invoked by alias); 25 Jul 2014 15:21:58 -0000
> Received: (qmail 31658 invoked from network); 25 Jul 2014 15:21:58 -0000
> Received: from sf01mx2.securityfocus.com (192.168.120.32)
>   by mail.securityfocus.com with SMTP; 25 Jul 2014 15:21:58 -0000
> X-AuditID: c0a87820-b7b97ae000007517-38-53d27616e66d
> Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44])
>         by sf01mx2.securityfocus.com (Symantec Messaging Gateway) with SMTP id 60.56.29975.61672D35; Fri, 25 Jul 2014 
> 15:21:58 +0000 (GMT)
> Received: by mail-oa0-f44.google.com with SMTP id eb12so5723828oac.3
>         for <pen-test () securityfocus com>; Fri, 25 Jul 2014 08:21:57 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>         d=gmail.com; s=20120113;
>         h=mime-version:in-reply-to:references:from:date:message-id:subject:to
>          :cc:content-type;
>         bh=LN1bYANfptzyu7cgy3/Vf+GrzSi1bK7FavQQlZSjo5k=;
>         b=GhcJgI8FetDyXZdD8M05GH7kU+0Ey+kCES0Kr0ROEmEyOSlLmdzgnSjGyfphKNiwO7
>          XJs/D2opPJYpi0K8HxQmfMw7OAX+BLjKO3mnG/QzYvGNRbiePBdK4EmcQEzSnzfbg8/D
>          hcSH+i9EdEwY+C0PzWvJgK3XEnjIred81agBkMWMLwtILxU3a0PYA6s3fSZdxn1D7Cw9
>          TG+1vGmwk8zns8XVhXbns57I5PQanNILJLmMGJ6DHLwMYL+Eb5et21FOP+uyNMoS/0IO
>          w6MZBfu1RYpQiMBMe3JnXIWrNHlXO8Ppi/zWyZVsI7C0RuZA24vTmkETXQGURdCM4Kpa
>          WZfQ==
> X-Received: by 10.182.149.235 with SMTP id ud11mr23892314obb.50.1406301717486;
>  Fri, 25 Jul 2014 08:21:57 -0700 (PDT)
> MIME-Version: 1.0
> Received: by 10.202.67.196 with HTTP; Fri, 25 Jul 2014 08:21:37 -0700 (PDT)
> In-Reply-To: <CACcv7ke1hEbyWwFZp41J3oSUy_ORf7tmq+015Hg7iSgyOsjnuQ () mail gmail com>
> References: <CACcv7ke1hEbyWwFZp41J3oSUy_ORf7tmq+015Hg7iSgyOsjnuQ () mail gmail com>
> From: Nikola Milosevic <nikola.milosevic86 () gmail com>
> Date: Fri, 25 Jul 2014 16:21:37 +0100
> Message-ID: <CAJWAiW48ZA62nXrRiL-naKBu=URGCz-tnLnUNZSEKtCEb8W=RA () mail gmail com>
> Subject: Re: How to deal with the company that doesn't react on providing them
>  information about serious security vulnerability?
> To: =?UTF-8?B?TWljaGHFgiBSeWJpxYRza2k=?= <fishmanos79 () gmail com>
> Cc: pen-test () securityfocus com
> Content-Type: multipart/alternative; boundary=001a11348abc51692c04ff062208
> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphluJIrShJLcpLzFFi42K5GHpbR1es7FKwwaEtyhatHVtYHRg97p+5
>         xR7AGMVlk5Kak1mWWqRvl8CVsXjBAaaCLwYVfz8sY2pgPKjRxcjJISFgItGwax8LhC0mceHe
>         erYuRi4OIYGrjBI3D7UwQzhTGSU2n38N5rAITGeVOHmrmxmipUxief9qMJtXQFDi5MwnYKOE
>         BLwlVv6eBWZzCgRKPPv3jQ0iHiCx9PRWRhCbTcBUYtH8dUwgNouAqsTWKxOA6jmA5gRI7Jvq
>         CrJLWKCJUeLv/SNgvSICDhL/P2wA28UsICexeepUFgjbS2LFoqvMExgFZyE5YxaS1AJGplWM
>         ksVpBoa5FUZ6xanJpUWZJZVp+cmlxXrJ+bmbGIHheGBFhcIOxgsXdQ8xMnFwXmKUlRLmZWRg
>         YBDiKUgtys0siS8qzUkthoW4VAPjlLtLpxUfe7cslsn2du8drqNCUfyG87j+pM6xmu7GevbV
>         bjN9fq659vmfz55ZvC1VjvV5xa6OMxr3PJycL6xwYE3PXb7z1wmdHZvZZxtfXxeW/sa112oW
>         e9msn7Y/Gcq/5N9lYVp+6uzS9+Fh1z57dv2d+yh3Hvtxz/nd06tVd7iFiIQvkz+0QImlOCPR
>         UIu5qDgRAP747voXAgAA
>
> --001a11348abc51692c04ff062208
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> Well I believe the right answer is nothing. If you publicly disclose it,
> you are risking being sued.
>
> It is ethically to disclose it to them, as you did it. However, company is
> not liable of giving you price or even do anything about the vulnerability
> (I guess until it is too late). They don't even need to write you thank you
> mail. It is good practise to do something about, and even to give price to
> motivate such researches and harden their security, but no one forces them
> to do so.
>
> I know not receiving answer is quite disappointing, but I don't think you
> have any other "right" option for reacting to that.
>
> Best regards,
>
> Nikola Milo=C5=A1evi=C4=87
>
>
> On 23 July 2014 11:06, Micha=C5=82 Rybi=C5=84ski <fishmanos79 () gmail com> wr=
> ote:
>
> > Hi all,
> >
> > I believe this is the best place to ask such question because I would
> > imagine that most of people reading this list have something to do
> > with discovering vulnerabilities and reporting them to parties
> > responsible.
> >
> > On the beginning of the January I have discovered some security flaw
> > which allows basically anyone to access all personal client's data
> > (full name, full address, email address and a few more) of one of the
> > most known Internet IT magazine.
> > Although I have sent information about it to 3 different contact email
> > addresses in the two months time span, the only thing I got in return
> > was information that "We have received your email and have forwarded
> > it to our main office to review and advise." received on 1st of April.
> > Since then I haven't heard from them at all.
> >
> > The easiest action I can think of is to just make a full disclosure of
> > the flaw and wait for the reaction but because this would allow almost
> > anyone to access personal data of tenths if not hundreds thousands of
> > subscribers (including me), I'd rather not do that...
> >
> > Could anyone of you propose what would be the best solution in this
> > case or maybe generally this subject can be the start for the more
> > general question - what should be done with the companies that doesn't
> > react on such information sent?
> >
> > Many thanks
> > MR
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Boa=
> rd
> > Prove to peers and potential employers without a doubt that you can
> > actually do a proper penetration test. IACRB CPT and CEPT certs require a
> > full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
> --001a11348abc51692c04ff062208
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr"><div><div>Well I believe the right answer is nothing. If y=
> ou publicly disclose it, you are risking being sued. <br><br></div>It is et=
> hically to disclose it to them, as you did it. However, company is not liab=
> le of giving you price or even do anything about the vulnerability (I guess=
>  until it is too late). They don&#39;t even need to write you thank you mai=
> l. It is good practise to do something about, and even to give price to mot=
> ivate such researches and harden their security, but no one forces them to =
> do so. <br>
>
> <br></div>I know not receiving answer is quite disappointing, but I don&#39=
> ;t think you have any other &quot;right&quot; option for reacting to that.<=
> br><div><div class=3D"gmail_extra"><br clear=3D"all"><div><div dir=3D"ltr">=
> <div>
>
> Best regards,<br></div><div><br>Nikola Milo=C5=A1evi=C4=87</div></div></div=
> >
> <br><br><div class=3D"gmail_quote">On 23 July 2014 11:06, Micha=C5=82 Rybi=
> =C5=84ski <span dir=3D"ltr">&lt;<a href=3D"mailto:fishmanos79 () gmail com" ta=
> rget=3D"_blank">fishmanos79 () gmail com</a>&gt;</span> wrote:<br><blockquote =
> class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid=
> ;padding-left:1ex">
>
> Hi all,<br>
> <br>
> I believe this is the best place to ask such question because I would<br>
> imagine that most of people reading this list have something to do<br>
> with discovering vulnerabilities and reporting them to parties<br>
> responsible.<br>
> <br>
> On the beginning of the January I have discovered some security flaw<br>
> which allows basically anyone to access all personal client&#39;s data<br>
> (full name, full address, email address and a few more) of one of the<br>
> most known Internet IT magazine.<br>
> Although I have sent information about it to 3 different contact email<br>
> addresses in the two months time span, the only thing I got in return<br>
> was information that &quot;We have received your email and have forwarded<b=
> r>
> it to our main office to review and advise.&quot; received on 1st of April.=
> <br>
> Since then I haven&#39;t heard from them at all.<br>
> <br>
> The easiest action I can think of is to just make a full disclosure of<br>
> the flaw and wait for the reaction but because this would allow almost<br>
> anyone to access personal data of tenths if not hundreds thousands of<br>
> subscribers (including me), I&#39;d rather not do that...<br>
> <br>
> Could anyone of you propose what would be the best solution in this<br>
> case or maybe generally this subject can be the start for the more<br>
> general question - what should be done with the companies that doesn&#39;t<=
> br>
> react on such information sent?<br>
> <br>
> Many thanks<br>
> MR<br>
> <br>
> ------------------------------------------------------------------------<br=
> >
> This list is sponsored by: Information Assurance Certification Review Board=
> <br>
> <br>
> Prove to peers and potential employers without a doubt that you can actuall=
> y do a proper penetration test. IACRB CPT and CEPT certs require a full pra=
> ctical examination in order to become certified.<br>
> <br>
> <a href=3D"http://www.iacertification.org"; target=3D"_blank">http://www.iac=
> ertification.org</a><br>
> ------------------------------------------------------------------------<br=
> >
> <br>
> </blockquote></div><br></div></div></div>
>
> --001a11348abc51692c04ff062208--

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------