How to disclose an open S3 bucket?

Question

What is the most responsible way of disclosing an open AWS S3 bucket?

Let's say there are sensitive documents inside, such as contracts with the company logo, that lead you to believe that it belongs to a specific company. Would you reach out to the CISO/CTO at that company with the name of the bucket and recommendation that it be looked at immediately?

I've looked through a few answers here (including How to disclose a security vulnerability in an ethical fashion?). Are S3 buckets more complicated in that they don't have a clear owner?

Are there other security complications if the data was already downloaded automatically to another location? (common with brute force scripts that I've seen on Github for finding open S3 buckets is automatically downloading the files if the bucket is open)

i.e. a bucket named "coca-cola-bucket" could be owned by anyone, and even a bucket with the secret coca cola recipe could theoretically be owned by some other (shady? third party?) organization — octothorpe_not_hashtag, Apr 23 '19 at 04:09
Aha, yes, I see what you mean... the owner of the bucket may not be readily apparent or easily discernable and indeed might even be deliberately deceptive. — Michael - sqlbot, Apr 23 '19 at 12:41

score 3 · Answer 1 · answered Apr 23 '19 at 12:53

The AWS documentation has a vulnerability reporting section.

While what you are describing is not a vulnerability in the S3 infrastructure, I would be genuinely surprised if this was not still an appropriate path. Provide the information to AWS Security at aws-security@amazon.com, using their PGP key if you so desire.

They -- better than anyone -- would know or have a way to identify who owns the bucket, and they should be in the optimum position to identify and make contact with the bucket owner.

How to disclose an open S3 bucket?

1 Answers1