How would you deal with an unsolicitied notice of vulnerabilities in your infrastructure?
04/06/20 17:02 Filed in: Cyber Security
Are you set up to respond to unsolicited vulnerability disclosures?
Recently I was asked to help find a contact within a national telecommunications operator to whom an infrastructure vulnerability could be reported. A colleague had discovered an instance on the public internet that was not correctly protected and therefore could be compromised and exploited. You would think it would be an easy task! Not so! It took me over a day of effort over an elapsed timescale of two and a half days to reach the correct team members to make the report as a responsible disclosure. Messages via LinkedIn to likely staff members were ineffective as was contact through people who worked there. Ultimately it was one person who "know a man who knows the man" that enabled us to get their attention.
Lessons from the experience:
Recommendation
.
Recently I was asked to help find a contact within a national telecommunications operator to whom an infrastructure vulnerability could be reported. A colleague had discovered an instance on the public internet that was not correctly protected and therefore could be compromised and exploited. You would think it would be an easy task! Not so! It took me over a day of effort over an elapsed timescale of two and a half days to reach the correct team members to make the report as a responsible disclosure. Messages via LinkedIn to likely staff members were ineffective as was contact through people who worked there. Ultimately it was one person who "know a man who knows the man" that enabled us to get their attention.
Lessons from the experience:
- Most people would have given up after a few hours
- Unlike software companies, tech companies do not tend to be set up to receive responsible disclosures of vulnerabilities
- Systems were exploitable and accessible from the public internet for over 3 elapsed days!
- Persever, if you don't then you won't be successful.
Recommendation
- Design a Contact Form and make it accessible from your public homepage.
- To protect against spamming and screen scraping do not publish the email address, make it a hidden attribute
- Incorporate CATCHPA / re CATCHPA or a similar solution to ensure you protect against 'bots'
.