Education Found a rather serious flaw with at least one companies product - what should I do?

Right excuse my vagueness as I don't want to give anything away at all just generally asking for advise as to how I should proceed as it's a bit of a biggy..

ok well basically I've found a vulnerability (mostly by accident) with at least one companies service (not sure about other that have the same service as basically I don't have money to found out) but the basic outline is it allows you to do something completely free which should cost a fair bit of money - undetected.

So I have the vulnerability and the exploit, bit hazy on the patch as I've only just discovered it myself (I'm pretty sure there's people using it for pwnage purposes but dunno) but I have the broad strokes of the fix in my head.

Should I:

a) stfu and not ruin a good thing?
b) somehow get in contact with Company X and tell them what I have?
c) b, but only provide information after some kind of compensation agreement is made? (not sure how to go about this but if it were the case, I think it's worth a few zeros on the end of a >1 number just in loss of earning for the company)

Answers on a postcard.

--- Just to answer one question that will come up. NO I will not reveal any information about what I've found to the public or via pm or other that I can't think. (at least until the company(s) have fixed it)

 

Probably should contact them and just tell them outright, they might reward you, they might not. :-/

 

By all means try and get some money out of it - after all, you're providing them a service by offering them this knowledge - knowledge they can use to increase their profits. Why shouldn't you get a share? It annoys me when people say you shouldn't ask for compensation in situations like this, but it's important to be realistic about what you think your information is worth.

How you go about things is up to you. I would probably phone up and offer some details of the effect of the flaw (i.e. it would allow people to quickly and simply gain free access to your servers) - they can do the math in terms of how many people they would guess are exploiting it, and what percentage of those people would actually pay for the service if they couldn't get it free.

If you can get anything out of it for free, good luck to you, but I'd be astonished if you walk away with any more than free service for yourself. A "1 with a few zeroes in front of it" is a pretty silly amount to expect.

 

I know it sounds silly but based upon ease of the exploit and cost of the service, I estimate roughly about 0.01% of all people using the service in one incarnation or other and using this method.

That given statistics yanked from various websites (including their own) worked out to be ~£10-50k loss... per month.... So me wanting a few grand out of this isn't really unreasonable in my mind...

This isn't some obscure little hack or some little company it's one of the major players and a Fortune 100 company at that.. Blue chip companies should be able to appreciate that the cost of compensation is a shed load less than what they're haemoraging.

 

We have had a discussion of an issue like this before. Do what you feel you should.
You tell them any details and the next upgrade closes the door.
When I'm not retired or not working for our Govt. I test software for a living. One word and it's fixed and no one knows.

Spoiler

I was not here, we did not have this discussion.

 

I don't even know who (job title/department) I should speak to about it as I've just done some more looking into it, it looks like it's a hole that exists not only in the UK division of the firm (confirmed by me) but also in several other countries, along with their competitors which isn't yet tested by me but is by others.

Obviously I'd just be going to the UK incarnation first if I were to, but still dunno who I should talk to and I must admit I am inclined to go down the requesting money way but again judging how much to ask that isn't too little or too much is a bit of a thing in itself.

But suffice to say even if 0.0001% of people using the services (tested another service of theirs and that's vulnerable to it too) it's still a few thousand a month they're losing because of this.

Jhanlon- if you have any advise being as you're kinda in the field a bit (although what I'm doing seems a little bit "grey hat") I'd be much obliged.

 

If you contact the company and tell them that you've found a vulnerability, but will only disclose the details after financial compensation, then be prepared for the company's lawyers to start throwing out terms like extortion and/or bribery. From the lawyers perspective, if the hole exploits the product in an illegal way then they'll probably start asking how you discovered it to begin with. You may end up going down a path that is very uncomfortable without legal representation.

Of course, as John says, you can only do what you think is the right thing to do. In my opinion, it sounds like you've already made up your mind, and you're looking for advice on how to get as much money as possible. That said, if you decide to stay quiet and continue to milk the company, or if you demand compensation for your find, then you have no basis to complain if someone ever does the same to you. Just something to think about while making your decision.

-monkey

 

It's perfectly legitimate how I happened across the vulnerability so that's not an issue.

I do resent the fact that either way you're making me seem like some kinda money grubbing git.. All I'm thinking is big fat corporation, losing money, I know how to stop them losing money this way.

In the real world that's called consultancy.

I'm not trying to ask how much I should "milk" them for... If you could read I was asking who I should contact within the company to point out the 'sploit, CTO or some such..

I'm not going to lie and say money's not on my mind and it's not the issue - it is otherwise we wouldn't have this conversation. My time and effort has been spent in investigating this I feel I deserve some recognition from the company and to be honest a "well done dude, you saved the company thousands, here's a [product]" isn't really gonna cut it considering the magnitude of this... Basically I think it's worth at least a few grand, [product]'s services for a year or two, and the ability to put it on my C.V. and have a reference for a future employer.

If you think I'm being unreasonable please feel free to point it out, but if I were working for some blue chip consulting firm I'd probably be on a grand a day for something like this.

 

Ok either I am having some really hardcore Déjà vu or i swear i have read Lorquis's post before( like 6months ago)... let me know if im crazy. maybe it was in a diff forum?

 

Me too

 

http://forums.bit-tech.net/showthread.php?t=167339 <-- that?

 

Well I see the difference now

 

oh ok that makes sense. I would go with A. but that's me, most of the time im wrong with decisions like this anyways. Let us know what happens!

 

I also QA software part time for a living and what I would reccommend you do is contact their Tech support (if they have one) or contact support in general, ask to speak to the manager that is in charge of the product you are using. Once there tell them that you found a serious flaw in the software that can be used to by-pass the "pay for it" function and that you would like to set up a conference to discuss the vulnerability and possibly receive compensation. If they agree MAKE SURE YOU GET IT IN WRITING!!!!!! Discuss the exploit and the possible way to fix it, how the patch works, etc etc. Give them a firm handshake and call it a day.

If they say no to compensation tell them that you will go Public with the exploit J/k


Just try to see what you can get. If it is a paying function more often than not you can request a "finder's fee" for it.


Overall though be polite and reasonable, and most of the time they will be the same back. If they push you, push back. It might be a small game of tug-o-war but if you keep at them most of the time they will break.

 

You're basically doing the job of their QA dept so I'd try and get something out of it (even if it's just some store credit).

So long as any agreements you have in place state that a fee is only payable if an exploit is found (contingency fee) then they have nothing to lose by listening to you.

 

Thanks guys keep any advice coming... something else I'm wondering is whether I could go to the other companies that have this service and basically replicate the goodness or is it normally the case that Company X would want exclusivity to the vulnerability and prevent me from going to Companies Y and Z?

(Anyone with any real QA experience can PM me so I can work out what direction to go on a non-open forum)

 

Got your PM.

Well with my issue surrounding littlewoods - they basically just came back to me later and offered me a 20% discount off my next purchase.. Bit cheesed off, but hey i got a macbook on 0% terms for 12 months with £100-200 off buying directly from Apple. By exploiting the issue - with 20% off something i want in the future.

I would personally ring them up, tell them you've found a problem.. Quantify the problem in terms of loss. So ie: If 20 people did this, you'd lose £X amount.

Try to then negotiate a free product from them before revealing the issue.

 

Considering how widespread I've discovered this exploit to be used I estimate somewhere between 1/1k-10k of people using this product are using this vulnerability, and based upon the 20 people model assuming average use (the most frequently sold version of the product) they're losing ~£400 a month.

And with the customer base being in the millions in the UK alone (it works with their other global presences) even based upon a 0.01% (1/10k) that's well over 2500 people using this exploit based upon my earlier loss projection of 20 people that's a loss ~£50k per month which is ongoing. A loss of over half a million pounds a year being quite conservative is still a hefty chunk of pie.

Based on that I feel perfectly valid in thinking that a consultancy fee of 10% of their yearly loss through this is reasonable. For effectively less than one month's loss of revenue they're saving £2.5m over the next five years if not more.


Yes I realise I'm coming off greedy but is it really not that you all think what I'm doing is wrong more that you wish you'd found it first? Flame away. Advice would be more welcome

 

Yep, I wish I could find these sort of vulnerabilities. And I'd do C - it looks like that's what you're gearing yourself towards doing. Go for it. As already mentioned, get things confirmed in writing.

 

My main problem at the moment is on Monday morning, who do I actually request to speak to?

CTO, Support, Development, IT Dept?

I know without any kind of information about the company being provided it's a little bit difficult to give specific advice to me... but any help is certainly welcomed.