Ask HN: How should I publicly disclose a vulnerability without hurting users?

7 points by azelfrath ↗ HN
I don't want to mention names right now or go into too much detail, but I have found a vulnerability in an open-source application that could be exploited to financially damage those who run it. I have tested this myself under various setups and confirmed that it works.

I contacted the developers about the issue, including versions affected, the exploit, and the fix. Within 5 minutes, I had a response saying, in effect that they "cannot be responsible for the user not knowing".

I'd submit a fix myself, but there's no place to do so. It's an open-source app but you cannot commit publicly. I want them to fix this because it's an extremely simple patch, and the potential damage resulting from an exploit would be crippling.

If I blog about it, or otherwise publicly post details, people could get hurt. If I don't, the developers have no reason (or rather, motivation) to fix it.

Advice?

4 comments

[ 3.5 ms ] story [ 22.2 ms ] thread
By hurt I assume you mean financially and not that anyone will be physically harmed. If you've done due diligence by contacting the developers I think you have a responsibility to make it known what you have found so that others can put pressure on to fix it. Just my .02
<sarcasm> Actually yes, physically. The bug is in a beta version of Skynet. </sarcasm>

I tend to agree with you, and that's what my heart is telling me, but aren't there legal issues involved? I seem to recall the standard being something like "Wait 30 days after informing", but if they outright refuse to fix it before then and they say so, am I able to be sued for damages if I disclose?

Maybe a logical "2nd step" for you would be to disclose that you've found a substantial bug that could "financially harm users" if exploited...but don't actually share the exploit. Post that you've contacted the developers as of <date> and will give them X-days to resolve the issue.

Now, as for that final step...that's up to you. Not sure the legal ramifications for sharing the exploit, or frankly, what the benefit to the community would be. I think your goal should be to put pressure on the developers, but not to actually expose the threat. If they never get around to fixing it, you've just potentially screwed the community (not to mention those that might never see the update).