IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [disclosure]

releasing information about security issues to the general public or a selected group.

154 questions
366
votes
22 answers

I found that the company I work for is putting a backdoor into mobile phones

I have found out recently that the remote assistant software that we put in a smartphone we sell can be activated by us without user approval. We are not using this option, and it is probably there by mistake. But the people who are responsible for…
anonymousquery
  • 2,991
  • 2
  • 13
  • 4
141
votes
8 answers

How do I report a security vulnerability about a trusted certificate authority?

I stumbled across a huge security vulnerability in a Certificate Authority that is trusted by all modern browsers and computers. Specifically, I am able to get a valid signed certificate for a domain I don't own. If I had the means to become a Man…
MotorStoicLathe
  • 1,031
  • 2
  • 8
  • 8
132
votes
10 answers

Should I contact the manufacturer if their product allows access to other users' location information?

I recently purchased a satellite communicator that allows me to send a map of my location to friends and family while I'm hiking in the wilderness. While testing out my product, I noticed that the url was constructed as…
Lil' Bits
  • 1,153
  • 2
  • 8
  • 9
83
votes
5 answers

How to proceed with a white-hat hacker claiming a vulnerability?

I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member. They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text issues) and an XSS…
Vcode
  • 866
  • 1
  • 5
  • 9
82
votes
2 answers

I'm a White Hat and I develop my own viruses. Should I report it when almost all scanners say the executable is safe?

I develop my own viruses for 'scientific' purposes, namely to see if they pass the test of Virustotal.com. They all do, except for one or two scanners. Is this considered something you should report to Microsoft/McAfee/etc? If yes, how?
John Doe
  • 819
  • 1
  • 6
  • 6
79
votes
10 answers

How to report vulnerabilities without being regarded as a hacker?

I just discovered that my university alumni's login page is just plain HTTP. Wireshark confirmed that the credentials are sent using an HTTP POST message. I did a bit of research and, as I thought, HTTPS should always be used on the login page…
user29170
78
votes
6 answers

How to disclose a security vulnerability in an ethical fashion?

How to disclose a security vulnerability in an ethical way? I've heard there are various schools of thought on this topic. I'd like to know the pros/cons of each.
Olivier Lalonde
  • 5,039
  • 8
  • 31
  • 35
72
votes
7 answers

How do I inform a company I found a leaked database of theirs on the Internet?

Recently I found a leaked database of a company and I do not know how to go about contacting the company. It is so weird because I cannot find any type of Information Security contact email to report this to. It just has a support email. I feel…
Arkest Must
  • 817
  • 1
  • 4
  • 9
64
votes
3 answers

Are staggered roll outs of security patches bad?

Many Android devices, including the Google Nexus line, are now receiving monthly security patches via OTA updates, accompanied by the Android Security Bulletins. However, these updates are often released in what is known as "staggered roll outs,"…
tonytan
  • 698
  • 5
  • 8
55
votes
7 answers

Open Source vs Closed Source Systems

My understanding is that open source systems are commonly believed to be more secure than closed source systems. Reasons for taking either approach, or combination of them, include: cultural norms, financial, legal positioning, national security,…
blunders
  • 5,052
  • 4
  • 28
  • 45
55
votes
3 answers

Where to disclose a zero day vulnerability

We discovered a vulnerability in wide range of Ricoh printers, where with a simple PostScript file sent directly, it is possible to crash the device. To recover you need physical access to the printer and an administration account to clear the queue…
Matteo
  • 682
  • 5
  • 14
53
votes
9 answers

How should I tell school that they are vulnerable when I wasn't given permission to check?

I would like to report security weaknesses to my school in UK. I had managed to find security weaknesses without any exploits or other software or hardware. I had look at similar question however problem is that it is very likely to find out that it…
vakus
  • 3,743
  • 3
  • 20
  • 32
51
votes
4 answers

Why submit a website to plaintext offenders?

I've read this question and to quote from the accepted answer Besides that, by submitting the site to plaintext offenders, you will provide a third-party point of view, which might help your case. But, isn't submitting a website to plaintext…
Ryan Weaver
  • 543
  • 4
  • 11
46
votes
2 answers

Where to report malicious URLs, phishing, and malicious web sites?

I recently discovered that my web site was hacked: there was a hidden HTML div that's about selling shoes...! I googled the text in question and voila: thousands of sites have been hacked. Check this out: Google the text 'There is also hang tag made…
supercobra
  • 623
  • 1
  • 5
  • 7
40
votes
6 answers

Software vendor refuses to fix security vulnerability - what to do?

I work as a consultant for a large corporation that uses some software, in which I have found a security vulnerability. I notified both my client and the software vendor about a year ago. They referred the case to their account manager (!), who (in…
TravelingFox
  • 433
  • 2
  • 7
1
2 3
10 11