13

My coworkers and I discovered a significant security issue in a popular cybersecurity tool, which shall go unnamed here for reasons that will become obvious.

We reported the issue to the tool's vendor through their bug bounty program on bugcrowd. They ranked it as a P2 issue and paid us $2,000 for it.

It's now about six months later, and the issue still hasn't been fixed, nor have they given us a timeline for when it will be. They've also informed us that under the terms of their bug bounty program we're not allowed to publicly disclose the issue no matter how long it takes them to fix it. UPDATE: I've followed up with them twice since reporting it, expressing increasing agitation over the fact that the issue still hasn't been fixed and it seems likely to me that it is being exploited, and this is what I've been told each time.

The issue was not arcane or difficult for us to discover and reproduce. There has been plenty of public discussion of issues of this type in tools of this type. This makes me worry that they were aware of the issue before we reported it to them, and paid us the $2,000 bounty to "catch and kill" our report, i.e., to prevent us from disclosing it publicly before they fixed it.

I am concerned that hackers may be leveraging the issue in the wild to compromise people's data, and the the tool's vendor is allowing this to continue by not disclosing or fixing the issue.

Even in the existing version of the tool, there is a workaround that can be applied to minimize the impact of the issue, so disclosure would allow people using the tool to protect themselves even before a fix is released. I am therefore increasingly uncomfortable with sitting on my knowledge about this issue rather than publicly disclosing it.

At this point I'd be happy to send a check for $2,000 back to their corporate mailing address and tell them to take their bounty and shove it and then disclose the issue publicly to protect other users of the tool. The problem with this is that we donated the $2,000 to charity -- as we told them we were planning on doing when we reported the issue to them -- so we don't have the money anymore to send back to them.

Does anybody have any advice to offer?

Jonathan Kamens
  • 231
  • 1
  • 3
  • 3
    There are certainly legal aspects to this question, but it is certainly not _entirely_ a legal question. For example, whether the vendor in question would in fact sue me for disclosing is not a legal question _per se_, it's more one of PR and strategy and what epxeriences other people in this space have had in the past. Furthermore, there's an _ethical_ question of whether we would be right to publicly disclose this issue, despite the legal risk, to protect other users of the tool. – Jonathan Kamens Dec 10 '18 at 22:35
  • 1
    Whether or not they *can* sue is a legal question per se. Whether or not they *would* is not a legal question (nor a security question). Ethically, I'm not sure that you can make a determination yet. You do not know if disclosing it would cause more harm than letting them work to their timeline. – schroeder Dec 10 '18 at 22:41
  • 6 months is lot a long time in bug-land. I've seen much longer timelines. – schroeder Dec 10 '18 at 22:42
  • 1
    @JonathanKamens Is the unnamed tool a password manager, per chance? – forest Dec 11 '18 at 12:50

2 Answers2

4

You should report the vulnerability to Mitre to get a CVE assigned, or on Full Disclosure.

When a vendor refuses to fix a bug that you've reported, it's ethically acceptable to disclose it openly or try to get a CVE assigned for it. This is especially important if you believe that the bug may be being exploited in the wild, and even more so if knowledge of the vulnerability allows easy mitigation by end users. People typically wait a fixed period of time before reporting a vulnerability that has not been fixed. It's common to disclose the issue to the vendor and wait 90 days before making it public.

They will probably kick you out of the program, but they cannot get the money back without engaging in a messy lawsuit. In fact, because such companies are unable to easily take the money back without resorting to legal action, these 0day-selling companies (often the more unethical ones which pay the higher prices) will often give you the payout slowly over a period of time, allowing them to terminate payment early if you disclose the bug without involving the legal system to remedy violations.

It is very important to remember that, while the money is yours (assuming the contract says so!), you could be sued for breach of contract and forced to pay even more money than you earned (both in legal costs and in damages from the lawsuit). While breach of contract is not criminal in most countries, civil law is still in effect. If this is important to you or if you do not want to risk a lawsuit from a litigious company, you should consult a real lawyer and not take legal advice from strangers on the internet.

forest
  • 64,616
  • 20
  • 206
  • 257
1

I don't see how you got a choice here. You accepted the money under the terms of the bug bounty program. You can't undo the contract since you already gave the money away.

under the terms of their bug bounty program we're not allowed to publicly disclose the issue no matter how long it takes them to fix it.

Therefore, you can't disclose the bug without breaching the contract.

Whether to breach contract depends a lot on how much money, time and effort you are willing to put into this. A lawsuit quickly becomes stressful and expensive. Given that you wilfully breached a contract it is pretty likely that the company is going to sue you, since this occurs little risk for them.

I think the best option is to contact the vendor again and work with them. Help them implement the correct fix. If the person you are in contact with doesn't seem helpful, maybe you can contact someone else at the company.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102