Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

How to report security related problems to a vendor?

Daniel Nashed  14 June 2022 11:04:03


Reporting potential security issues is very important for software quality.
Every software has bugs -- As we have seen even in the Linux world in the couple of last month. Yes and there are even Linux kernel security bugs.

Reporting security issues in the open source world is a separate topic.
But how do you report security issues or potential security issues to a commercial vendor?


Customer Support


If you
are a customer with support, you should always open a support ticket.
Those support teams know best about the actual problem and how to flag tickets for fast security reviews in the right team.



How do you report if you don't have support?


First of all, if security is important to you, you should have maintenance for all your software products to update to the latest versions to get security fixes!
But if you run into an issue and have no support, there are usually special accounts at software companies to report bugs in a safe way.


14.06.2022: Update from Martin (huge thanks)

There is a blog post describing how to open tickets. There is a separate category for security and reporting security issues.
And there is even a guest form, in case you have no support account available.


 https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0010164



Security TXT


There is an initiative which some companies are following -->
https://securitytxt.org/
This "standard" allows each Domain to provide information about their security incident reporting process.

Take a look for example at  -->
https://www.ibm.com/.well-known/security.txt


P
roduct Security Incident Response Team

There is an other standard term you should know about -- "PSIRT".

Many companies have special teams and accounts to report security issues to.


In case you are having issues with your support account or your maintenance expired, this would be probably the best way to report a security incident.
For example HCL Software has the following web page with all the details about security incident reporting:


https://www.hcltechsw.com/resources/psirt


Why is reporting security incidents in private is important?


First all, a security concern needs to be evaluated by a vendor.

If you are not a professional researcher, it can be quite difficult to get it right and there can be false positives, due do a misconfiguration or misinterpretation of logs etc.


If you report in public -- like in a blog --  this can have negative effects for the product you care about and want to help to improve.



Blog posts


So even it might not be a bug, others known less then yourself might get the wrong impression.

Also if it turns out to not be a bug, it is difficult to correct the first impression someone had about this issue.


Adding another blog post with an update on an existing post where you raised the concern, would be even less desirable.

Because readers of your blog might only read your initial post -- not the updated information in a follow-up post.



Getting the fame for finding a bug


Money should not be the main incentive to report a bug.
But getting proper credit for a bug you found is something that even ethical hackers are striving for.


If you want the credit, you let the software company name you in their CVE instead of being the first one to blog about it.


A blog post should be the last step in the process after the problem has been confirmed, the bug is fixed and the fix is available.

Unless there s a simple work-around, there is no point in making it public early.



I thought this would be common knowledge. But I had some discussions in the last week, which really surprised and disappointed me.

This lead to this blog post and I hope this helps others if not the one I tried to discuss with in private.


-- Daniel

Links

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]