https://plygrnd.net/tags/cvd/ Recent content in Cvd on plygrnd Hugo en-us Thu, 03 Feb 2022 00:00:00 +0000 https://plygrnd.net/the-9-commandments-of-coordinated-vulnerability-disclosure/ Thu, 03 Feb 2022 00:00:00 +0000 https://plygrnd.net/the-9-commandments-of-coordinated-vulnerability-disclosure/ <p>This was originally a <a href="https://twitter.com/notdurson/status/1489350457730469888">Twitter thread</a>. In case Twitter goes the way of the dodo, I&rsquo;ll preserve the content here (with some edits now that I&rsquo;m no longer limited to 280 characters per point).</p> <p>The nine points below capture, at a high level, most of what I know about responsible disclosure / CVD / the ins and outs of reporting security issues in other people&rsquo;s software.</p> <ol> <li><strong>Operate with good intentions in mind.</strong> You&rsquo;re hacking on other people&rsquo;s stuff (and presumably doing so for the common good). Treat other people&rsquo;s infrastructure like you treat your phone, wallet, car, or favorite plushie — respect it and try not to break it. If your targets publish rules of engagement, follow them to the letter.</li> <li><strong>Be verbose — more info is better.</strong> Don&rsquo;t assume that anyone will know what you&rsquo;re reporting from context. Include as many details and as much background as possible in your report.</li> <li><strong>Produce — <em>and provide</em> — a proof of concept</strong> which bears out your assertions. Decent incident responders won&rsquo;t balk at reading a 10-page description of your findings. If they can&rsquo;t reproduce them, though, they can&rsquo;t help you.</li> <li><strong>Be prepared for disappointment.</strong> Bug hunting is hard, painful, irritating work which may be thrown away as <em>known issue</em> or <em>won&rsquo;t fix</em> or <em>accepted risk</em>. It happens — and it&rsquo;s not personal.</li> <li><strong>People are fallible.</strong> Everyone&rsquo;s wrong sometimes. If you disagree with a decision not to accept a report or fix an issue, and you have compelling evidence to indicate that your findings are valid, fight for yourself. Escalate if you need to. But — be nice about it.</li> <li><strong>Be prepared to go unrewarded</strong> — it&rsquo;ll make the first bounty feel that much better. Rewards are nice, but not mandatory. Bounties are at the vendor&rsquo;s discretion.</li> <li><strong>Act with integrity.</strong> Badgering or threatening vendors to extract a reward isn&rsquo;t responsible disclosure. It&rsquo;s extortion. Such behavior might result in your report being downplayed. It can also get you removed from bug bounty programs or banned from using the service you researched.</li> <li><strong>If you&rsquo;re confident in your findings, include a disclosure date in your report</strong> and be upfront about your disclosure plan (blog, tweet, other). This keeps everyone on the same page and helps the responding party determine the scope and pace of their work.</li> <li><strong>Above all, have some fun.</strong> Get to know the teams you report stuff to — we love making new friends. :)</li> </ol>