Ask HN: I have a zero day, what should I do?
I informed the company about this security hole many months ago. It is still open. Their customers are being affected. I want them to fix it, but they won't fix it, maybe they can't.
What should I do?
What should I do?
12 comments
[ 2.6 ms ] story [ 33.7 ms ] threadInform them that you're dissatisfied by their manner of handling sensitive customer data, and the hole might already have affected existing customers without their knowledge.
And finally, inform them that should they be willing, but unable to provide a fix in timely manner, I'm available for security consultation, and implementation; e-mail me at sdrinf [at] gmail for a free initial consultation ;)
Some issues can be fixed quickly; others take a long time. The AWS signing bug I found, for example, took over 6 months to fix, because Amazon had to create a new signing scheme and then update a lot of code to use it. Because of this, I would hesitate to specify a hard expiry date; my usual approach is to ask for periodic status reports and only "turn up the heat" if it sounds like the issue isn't being taken seriously.
If they don't seem to be taking the issue seriously, there's two possibilities: 1. They're not taking the issue seriously; 2. They didn't take you seriously and never actually looked at the issue. In either case, it might be useful to work through someone who has experience in vulnerability handling; myself and tptacek come to mind as people who could help here.
They did take me seriously. I believe they aren't fixing the problem because they will have to rewrite a lot of their code, their customers will have to rewrite code, and many will be forced to find another provider all together, which means the solution has negative financial impacts.
Not solving it means negative financial impacts on their customers in lost time to rebuild affected data. It's very well possible that malicious people know about this and are using it right now to gather usernames and passwords for later attacks. Hundreds, perhaps thousands, of databases may have been siphoned off already.
How do you "turn up the heat" ?
Start saying things like "if you don't start making progress on this, I'm going to publish details". Contact Mitre and ask for a CVE #. Write to CERT, CERT-FI, or NISCC and ask them to help you. Write a blog post about the issue and send it to them saying "I'm going to put this online on Monday unless I hear from you first".
Then put the blog post online on Wednesday.
EDIT: Also, try different communications channels. Sometimes a phone call is far more effective than an email.
"The term derives from the age of the exploit. When a developer becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software."
-http://en.wikipedia.org/wiki/Zero-day_attack
My advice would be not to try to sell it.