How would you deal with an unsolicitied rnotice of vulnerabilities in your infrastructure?

Are you set up to handle unsolicited vulnerability disclosures?

Recently I was asked to help find a contact within a national telecommunications operator to whom an infrastructure vulnerability could be reported. A colleague had discovered an instance on the public internet that was not correctly protected and therefore could be compromised and exploited. You would think it would be an easy task! Not so! It took me over a day of effort over an elapsed timescale of two and a half days to reach the correct team members to make the report as a responsible disclosure. Messages via LinkedIn to likely staff members were ineffective as was contact through people who worked there. Ultimately it was one person who "know a man who knows the man" that enabled us to get their attention.

Lessons from the experience:
  • Most people would have given up after a few hours
  • Unlike software companies, tech companies do not tend to be set up to receive responsible disclosures of vulnerabilities
  • Systems were exploitable and accessible from the public internet for over 3 elapsed days!
  • Persever, if you don't then you won't be successful.

  • Design a Contact Form and make it accessible from your public homepage.
  • To protect against spamming and screen scraping do not publish the email address, make it a hidden attribute
  • Incorporate CATCHPA / re CATCHPA or a similar solution to ensure you protect against 'bots'


Tomasz Tunguz (VC @ Redpoint) predicts the impact of Coronavirus on startups

Tomasz Tunguz is a well known venture capitalist and is a partner at Redpoint Ventures a Menlo Park based VC firm. In his blog post Tomasz articulates what he thinks the impact of Coroanvirus will have in startup land.

His blog post can be found

Poland's starup ecosystem

I have just returned from a few days meeting some startups in Krakow and Warsaw. I was impressed by the quality of the people I met and their enthusiasm to make a difference. There were a number of companies I met who have the potential to make a really significant social impact. They include:

Airly have developed an air quality monitoring solution with a variety of applications, it is already in use by amateur runners to determine if there is high pollution levels in the areas they propose to run, and in healthcare.

FindAir have developed a simple but effective solution to assist asthma sufferers manage their condition

Skriware have developed an Edtech solution for school children to assist in developing STEAM (Science, Technology, Engineering, Arts & Mathematics) skills based upon their bespoke 3D printer, courseware and a library of models that can be used to build solutions.

StethoMe have developed a wireless electronic stethoscope with an AI powered backend analytics platform.

If you are interested in any of these topics i strongly recommend you look them up.

EU’s Free and Open Source Software Auditing project, EU-FOSSA 2

Many people are not aware that the EU has an initiative to help improve the quality and security of match of the Open Source software that is in use within many EU institutions across the EU, the Free and Open Source Software Auditing (EU-FOSSA 2) project. They also promote a bug bounty scheme paying bounties up to €60,000 which has proven to be successful as confirmed by VLC whose popular video media player has benefited from he bounty scheme.

Jean-Baptiste Kempf, one of the lead developers of VLC media player (and President of VideoLan) wrote on the 7th June 2019 in his
blog that they would not have identified and fixed so many bugs had it not been for the FOSSA bounty program.

FBI warns against trusting "secure" websites

The FBI released an alert on the 10th June 2019 on their Internet Crime Complaint Centre (IC3) advising the public not to trust implicitly the padlock which is displayed to indicate that the browser session is secure. They also include some basic recommendations. Sophisticated criminals are frequently including 'legitimate' certificates when mounting campaigns against unsuspecting users. Our recommendation is to always click on the padlock and confirm that the certificate matches the domain name to which it is supposed to be related.

This site uses cookies to enable us to optimise your experience and to generate usage statistics through Google analytics.

We do not share any of your information or activity on this website with others. For more information please see our Privacy policy which can be found on our 'Legal Stuff' page.