2

Say you're a security researcher who finds vulnerabilities and reports them to vendors to try and receive a bug bounty. If the vendor is not willing to pay any bounty for any vulnerability, you simply don't disclose the bug and keep it private. The problem stays open.

However, the vendor does sell their product to possibly hundreds of customers who are vulnerable to the bug, who definitely don't want to stay vulnerable, since they could potentially suffer significant financial losses if someone else found the bug and used it to steal information, or worse.

What are the legal and ethical arguments for reaching out to the vendor's customers, informing them that the bug exists, explaining their potential losses (six figures), and using that as leverage to get the vendor to find the bug on their own (if they can), or pay you your desired bug bounty?

As long as the bug really does exist and you're not scaring customers for nothing, and the vendor is more than capable of finding the bug on their own if they're not willing to pay you for it's disclosure, would this be wrong to do? The alternative option of leaving the bug alone and keeping all customers vulnerable, doesn't seem like a very ethical option either, though in the short-term it creates less problems for the vendor.

Any advice would be appreciated.

David Davidson
  • 23
  • 3
  • 2
    if you see something, say something ;-) – enigma Feb 27 '17 at 21:23
  • Legal differs from country to country - which is not mentioned and you shouldn't trust from us random strangers anyway. I feel it is unethical for the reasons already answered, but for the legal status you really need to consult a lawyer. – user2867314 Feb 27 '17 at 23:15
  • IANAL but the odds of the vendor accusing you of extortion and/or libel cannot be ignored. If the vendor is unwilling to pay, then responsible public disclosure is your next best bet. If your problem with that is the lack of remuneration, well, that's where the accusation of extortion comes in; you are applying leverage to coerce someone to pay you for something they did not contract for you to do. – gowenfawr Feb 28 '17 at 04:40

2 Answers2

4

There are better ways.

If your intention is to inform customers for purely altruistic purposes (and/or, to pressure the vendor to fix, whether or not you receive financial benefits), then there are other avenues you can explore.

You could, for one, contact your local CERT, or the CERT you believe could pressure the vendor into fixing (for the US, see http://www.kb.cert.org/vuls/html/report-a-vulnerability/).

You can also request a CVE (https://cve.mitre.org/) in order to make the vulnerability public, not just known to existing customers.

There are probably a whole ton of other options, but those are (hopefully) a reasonable starting point.

Consider too these provide some kind of peer-review, to make sure you have what you think you have.

If you are intending to contact customers for profit, then the question of how you know who they are would sort of become salient, and you would most likely be considered to be cold calling, which over email (or other mediums) may have consequences, for example related to CAN-SPAM if you are US-based.

I am not a lawyer, but this seems kind of shaky ground.

And the vendor isn't likely to feel warmly towards you if they find out.

If you really don't care about ethics, there are private vulnerability marketplaces you could consider. This will not lead to any fixes, but exploitation of the bug and personally, I would not feel this the way to go.

Basically: if the vendor isn't paying you for a vuln, then I think (and this is purely opinion) that a public report will make them more likely to do so in future.

Closer to home, you could also check out How to disclose a security vulnerability in an ethical fashion?

Community
  • 1
iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24
0

As long as the bug really does exist and you're not scaring customers for nothing, and the vendor is [...] not willing to pay you for it's disclosure, would this be wrong to do?

Well, think about it, if you release exploits to the public without vendor cooperation, you're basically a cracker right? Expect to be served with a lawsuit and every step of how you obtained knowledge of the bug to be put under a microscope for violations of the CFAA, DMCA, and terms of the EULA accompanying the software. And you win on all those points, congratulations, you are only some $150k of legal defense bills down from where you started.

DepressedDaniel
  • 1,240
  • 6
  • 8
  • I don't know what you mean by "cracker", but there is no writing of any exploits, or even disclosure of the vulnerability details to anyone except the vendor (if they chose to pay). – David Davidson Feb 27 '17 at 21:48
  • Other than the violation of the CFAA, DMCA, EULA, this doesn't really apply. David Davidson isn't trying to extort the vendor with the threat of full disclosure, but to protect the customers in a manner that also doesn't invalidate his past or future earnings from his line of work. – Οurous Feb 27 '17 at 21:58
  • Going to customers to warn them off if a vendor chooses not to pay could easily be considered extortion. If I received such a threat thats how I'd see it and I'm pretty open minded to these things. I don't see that as being responsible at all much as I understand why you'd not want to work for free - you already have done the work! – user2867314 Feb 27 '17 at 23:09