Versions Compared

Old Version 13

changes.mady.by.user Allen D. Householder

Saved on

compared with

New Version Current

changes.mady.by.user Allen D. Householder

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Search the web or the vendor's web site for relevant phrases
    • "report a vulnerability"
    • "security"
    • "report a bug"
    • "bug bounty"
    • "vulnerability disclosure policy"
    • "security@" + company name
    • company name + "PSIRT"
  • See if the vendor has a security.txt file, often found at www.example.com/.well_known/security.txt or sometimes at www.example.com/security.txt (securitytxt.org , IETF Draft)
  • Check vulnerability disclosure / bug bounty service providers (BugCrowdSynackHackerOne, etc.) to find vendor contacts.
  • Check the Forum of Incident Response and Security Teams (FIRST) member directory at https://www.first.org/members/teams/
  • Check the CVE Numbering Authority list at https://cve.mitre.org/cve/request_id.html#cna_participants
  • Search open source code repositories (GithubGitLabSourceForge, etc.) to find developer contacts.
    • If no direct contact information can be found, posting to the Issues page of a project asking how they'd like to receive vulnerability reports can be useful.
  • Submit a bug report through the vendor's online bug tracker
    • If given the option to mark it as security-related, please do so as this often restricts viewing to just the vendor.
  • Reach out through social media (TwitterLinkedIn, etc.) to request the vendor establish a direct communication channel 
    • We recommend you avoid posting vulnerability details in public when making initial contact when possible. For example, reporters might instead post an issue to a public bug tracker requesting that the vendor provide a secure method of communication instead of just posting the vulnerability details directly in a publicly visible issue.
  • Try emailing commonly used addresses: 
    • support@, security@, abuse@, info@, sales@
  • Fill out a generic support or "Contact Us" form
  • Make a phone call to the vendor

...

  • Send a fax (yes, we've actually done this)
  • Send snail mail[1] to an executive 
    • If you have access to resources like LexisNexis, you can often find the names of executives in technical roles as a starting point.
    • If message delivery confirmation is desired, in the US you can send certified mail with signature verification. The recipient must sign to receive the mail, and you'll get a signed receipt back.

When all that fails

Some vendors remain unreachable even after a number of reasonable good faith attempts to reach them—and by reasonable we mean considerably less than exhausting the entire list above. Some vendors just do not seem to want to be reached, and that is their prerogative. However, we have found that experience is often the best teacher. When a vendor gets surprised by the publication of a vulnerability in their product and it is clear from the report that attempts to notify them were made but failed, it can prompt the vendor to re-evaluate their vulnerability intake and handling processes to make it easier to reach them in the future.

Providing Useful Information

...