Recently I was asked to help find a contact within a national telecommunications operator to whom an infrastructure vulnerability could be reported. A colleague had discovered an instance on the public internet that was not correctly protected and therefore could be compromised and exploited. You would think it would be an easy task! Not so! It took me over a day of effort over an elapsed timescale of two and a half days to reach the correct team members to make the report as a responsible disclosure. Messages via LinkedIn to likely staff members were ineffective as was contact through people who worked there. Ultimately it was one person who "know a man who knows the man" that enabled us to get their attention.
Lessons from the experience:
- Most people would have given up after a few hours
- Unlike software companies, tech companies do not tend to be set up to receive responsible disclosures of vulnerabilities
- Systems were exploitable and accessible from the public internet for over 3 elapsed days!
- Persever, if you don't then you won't be successful.
- Design a Contact Form and make it accessible from your public homepage.
- To protect against spamming and screen scraping do not publish the email address, make it a hidden attribute
- Incorporate CATCHPA / re CATCHPA or a similar solution to ensure you protect against 'bots'
Airly have developed an air quality monitoring solution with a variety of applications, it is already in use by amateur runners to determine if there is high pollution levels in the areas they propose to run, and in healthcare.
FindAir have developed a simple but effective solution to assist asthma sufferers manage their condition
Skriware have developed an Edtech solution for school children to assist in developing STEAM (Science, Technology, Engineering, Arts & Mathematics) skills based upon their bespoke 3D printer, courseware and a library of models that can be used to build solutions.
StethoMe have developed a wireless electronic stethoscope with an AI powered backend analytics platform.
If you are interested in any of these topics i strongly recommend you look them up.
Jean-Baptiste Kempf, one of the lead developers of VLC media player (and President of VideoLan) wrote on the 7th June 2019 in his blog that they would not have identified and fixed so many bugs had it not been for the FOSSA bounty program.