2009-05-03 00:05:04

Mon, 13 Oct 08 01:08:38 -0600

Greetings, fellow BagelBloggers!
In a lifetime first, TheOnion.com LISTENED to me about my exploit! (After I released the exploit into the wild)

After a month of attempted contact, I released the exploit on my favorite hacking forum, and within two days, the problem was fixed!

I guess the barrage of hackers visiting, and a few white(gray?)hats contacting them got them off their asses!

All of the other corporations never email me back, with the exception of one, google. They usually knew about the problem and were on the way to fixing it. Another (unnamed) shopping cart sent me an email telling me they sent it to their tech department, and I never heard from them again. So, as such, I have started with a new 0days exploit policy:

Upon the discovery of a new exploit, a contact attempt will first be made by the preferred means on the vendors site, be it phone, email, or form.

From the day the exploit is noted, the vendor or producer has exactly 30 days until the 0days exploit is released into the wild, a simple email or other means of contact, showing acknowledgment can delay or even prevent the release of the exploit, depending on severity and other circumstances.
If the exploit is still available in the next version of the application, another contact attempt will be made and the same 30 days rule will apply.

As I am a strong believer in both freedom of information and private security, every attempt to contact the vendor/producer will be exhausted at regular times throughout the 30 days period. And as such, only a complete DOLT would ignore such warnings without so much as an acknowledgment that they are attempting to fix the problem.

The contact emails will each contain the following features:

1. The exact location and nature of the exploit
2. A proof of concept demonstration
3. A basic assessment of risk
4. A suggestion on how to fix the exploit, and if within reason, specific functions, filters, or measures to alleviate the issue

The exception is those clients that have hired me specifically to perform a security test on their application or website, as they will have indefinite time.

My previous policy was to not disclose an exploit until a fix was made, but quite frankly, I am SICK of these DOLTS ignoring me. The way I figure it, if these DOLTS refuse multiple and repeated attempts to contact them, with relativley simple means of resolving a critical threat, they deserve to have their actions scrutinized by the security community, just as the public has the right to know that they are using an unsafe application, so they may make an informed choice as to which application/websites to use in they're lives.

Peace.

P.S.
If you are ever contacted by someone, telling you about a security threat, fix the threat. For real, don't be a DOLT, just do it.