8

Assuming that:

  1. Vulnerabilities in third party components are not explicitly excluded in the scope of the program.
  2. The issue is reproducible in the specific target.

Should I report the issue to the third party developer only, or to the program too? If the component is used and exploitable in X applications, should I claim a bounty for all of them?

EDIT: It seems that big programs regularly pay bounties for vulnerabilities in third party components. Example (May be NSFW)

Not Now
  • 199
  • 11
  • A 0day in a dependency consumed by multiple organizations with bug bounty programs? Yea, you may use that exploitation method as the attack vector and enumerate bounties from multiple programs. A way to exploit that vulnerability is your intellectual property. As long as you do good/ethical things like reporting bugs to bounty programs, there shouldn't be an issue. No-one says that you must report it to the dependency owner. This is just my opinion, not a legal advice, just my perspective. – Mobutu Sese Seko Kuku Ngbendu Sep 28 '20 at 07:11

1 Answers1

6

It is highly likely that the developer implementing the vulnerable piece of code would be restricted to modify it either by a license or by inability to do so because of either no sufficient knowledge to modify the code, no access to it or other similar impediments. This being said, you ought to report the vulnerability to the third-party developer who should then take steps to mitigate the issue and push the changes to anyone using the code.

It is recommended that you report the issue to any affected programs or applications, but that's up to you - after all, there aren't any regulations on vulnerability disclosure and the only guideline is your ethical reasoning.

To directly answer your question, if the developer of the vulnerable code is responsible for its maintenance (depending on the software license), they would most likely be the only party who would be willing or eligible to pay you a bounty. However, disclosing the vulnerability to any affected parties is recommended and they might also be willing to reward you depending on the severity of the vulnerability and their ability to mitigate it.

Elhitch
  • 403
  • 3
  • 11
  • 1
    In this specific case the component has already been modified, so license shouldn't be an issue. The bug (an integer overflow causing an out-of-bounds read) can be mitigated both by adding an additional check in the component or in the target application. I have filed reports with proposed mitigations in the apps. Two of them have already replied, one awarded the bounty. – Not Now Mar 30 '18 at 14:11