When vendors are that annoying I usually just go full disclosure.
I found some privilege escalations on some small cloud providers though that went as far as ignoring my mails to their listed security@.... e-mail, or yeah, not having a contact listed at all.
Not quite sure what to do with those. Posting these to a full-disclosure list? They're too small nobody's going to care, until someone does and steals customer data. Might as well just ignore it until someone else discovers it and steals customer data?
I’m strongly in the full disclosure in that situation camp. At the very least, if you fully disclose the vulnerability and the company ignores it, it serves as a warning to their customers about what they are at risk of.
Responsible disclosure is an unwritten agreement between two parties.
If I find a vulnerability in your system, and you don't go out of your way to make it hard for me to report it, then I will send it to you first.
If you show some interest in fixing the vulnerability, I will hold off talking about it for a while.
If a company doesn't do their part in making responsible disclosure possible, I don't feel bound by it either. If it's anything big, I'd first report it to the national authorities (CERT, NCSC, ICO if there's personal data involved). Want me talking to you before I talk to the authorities and possibly a lawyer? Provide me with a contact option that doesn't involve agreeing to a small novel's worth of disclaimers.
FTA: "The difficulty I encountered reporting this serious vulnerability delayed my report one week. It might have caused a longer delay if I did not have contacts at Samsung who could help"
I haven't had to report anything too serious, but I've found this in most big companies (including Google). It's seriously frustrating, but I wonder where the balance is between being too hard to contact and opening the floodgates.
Readit News
I found some privilege escalations on some small cloud providers though that went as far as ignoring my mails to their listed security@.... e-mail, or yeah, not having a contact listed at all.
Not quite sure what to do with those. Posting these to a full-disclosure list? They're too small nobody's going to care, until someone does and steals customer data. Might as well just ignore it until someone else discovers it and steals customer data?
[0] https://hackerone.com/disclosure-assistance
If I find a vulnerability in your system, and you don't go out of your way to make it hard for me to report it, then I will send it to you first.
If you show some interest in fixing the vulnerability, I will hold off talking about it for a while.
If a company doesn't do their part in making responsible disclosure possible, I don't feel bound by it either. If it's anything big, I'd first report it to the national authorities (CERT, NCSC, ICO if there's personal data involved). Want me talking to you before I talk to the authorities and possibly a lawyer? Provide me with a contact option that doesn't involve agreeing to a small novel's worth of disclaimers.
I haven't had to report anything too serious, but I've found this in most big companies (including Google). It's seriously frustrating, but I wonder where the balance is between being too hard to contact and opening the floodgates.