Ask HN: I have a zero day, what should I do?

23 points by jacksoncarter ↗ HN
I informed the company about this security hole many months ago. It is still open. Their customers are being affected. I want them to fix it, but they won't fix it, maybe they can't.

What should I do?

12 comments

[ 2.6 ms ] story [ 33.7 ms ] thread
Inform them that your obligation to approach a mutually convenient solution discreetly is about to expire within 48-72 hours (depending on scope; your call); after which you will disclose, and syndicate the security hole to the public at large.

Inform them that you're dissatisfied by their manner of handling sensitive customer data, and the hole might already have affected existing customers without their knowledge.

And finally, inform them that should they be willing, but unable to provide a fix in timely manner, I'm available for security consultation, and implementation; e-mail me at sdrinf [at] gmail for a free initial consultation ;)

It's hard to offer advice without knowing more details, but I think it's good that you're not providing many details in a public forum like this.

Some issues can be fixed quickly; others take a long time. The AWS signing bug I found, for example, took over 6 months to fix, because Amazon had to create a new signing scheme and then update a lot of code to use it. Because of this, I would hesitate to specify a hard expiry date; my usual approach is to ask for periodic status reports and only "turn up the heat" if it sounds like the issue isn't being taken seriously.

If they don't seem to be taking the issue seriously, there's two possibilities: 1. They're not taking the issue seriously; 2. They didn't take you seriously and never actually looked at the issue. In either case, it might be useful to work through someone who has experience in vulnerability handling; myself and tptacek come to mind as people who could help here.

It is a very difficult problem to solve. I do know that. It's been about 9 months since I first informed them of the issue. I sent them source code that illustrates an attack. Many of their customers are being affected right now, by something. I can't prove that this is the mechanism behind the current wave of attacks, though I can prove that this mechanism would allow a hacker to compromise sites exactly as is being described by victims.

They did take me seriously. I believe they aren't fixing the problem because they will have to rewrite a lot of their code, their customers will have to rewrite code, and many will be forced to find another provider all together, which means the solution has negative financial impacts.

Not solving it means negative financial impacts on their customers in lost time to rebuild affected data. It's very well possible that malicious people know about this and are using it right now to gather usernames and passwords for later attacks. Hundreds, perhaps thousands, of databases may have been siphoned off already.

How do you "turn up the heat" ?

How do you "turn up the heat" ?

Start saying things like "if you don't start making progress on this, I'm going to publish details". Contact Mitre and ask for a CVE #. Write to CERT, CERT-FI, or NISCC and ask them to help you. Write a blog post about the issue and send it to them saying "I'm going to put this online on Monday unless I hear from you first".

Then put the blog post online on Wednesday.

EDIT: Also, try different communications channels. Sometimes a phone call is far more effective than an email.

Is this company an employer, or a business partner, or is it just some random company that we are talking about?
I am one of their customers. I believe I have been affected by this issue in the past.
Good grief. Take up the offer of the HNers that have replied to you offering to front the issue for you.
Sorry, kind of off topic but IF I am to trust wikipedia, wouldn't this not be called a zero day. It would be called a 9 month?

"The term derives from the age of the exploit. When a developer becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A "zero day" attack occurs on or before the first or "zeroth" day of developer awareness, meaning the developer has not had any opportunity to distribute a security fix to users of the software."

-http://en.wikipedia.org/wiki/Zero-day_attack

It would be a zero-day if exploits had already started at the time of discovery. The OP implies that attacks are already underway, possibly predating the discovery, but doesn't mention having solid proof of that.
If you're still wondering about this, contact me directly (my info's in my profile).

My advice would be not to try to sell it.

Talk to the company. Find out why they haven't fixed the issue. Talk to an actual engineer at the company. Maybe they are working on it but are having a hard time resolving the issue properly.