Software companies need to be more respectful
Jun 13th, 2008 by Micheal
As an on-again off-again security researcher (hey, full time college student), I’ve had occasion to contact software companies about vulnerabilities in their products.
More often than not, the software companies were very rude and ungrateful. Sure, they don’t like finding out that their software can be used for malicious purposes, nobody does. But they should be grateful that you are letting them know about it so they can fix it and protect their customers. But no, Apple, Microsoft, and others have shown again and again that they aren’t grateful and despite their supposedly encouraging researchers, they sometimes publically humiliate and ostricize those very people who try to help them, forcing the researchers to take other routes, whether it be selling underground, public releases, or whatever else.
Now, I don’t condone full disclosure as a first route, I think the company should always be notified first to give them the chance to fix the problem, but I had to laugh when an exploit hit the lists for Jelsoft’s vBulletin. The researcher apparently tried to contact Jelsoft privately about the vulnerability, provided PoC, and gave them the opportunity to fix. Instead, they laughed, called it “obscure” and did not provide credit. You can find the information here: http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062791.html
Needless to say, similar things have happened to me before. Once I was given vulnerability information about IE6 and 7, and working with various people, PoC’s were produced. I was tasked with contacting Microsoft, and after several emails back and forth, we were told that Microsoft would not fix the issue until IE8. Well, fast forward a bit, and Microsoft issued a silent patch for the issue for IE6 and 7. So let it be known through all the land: This is not how you treat people trying to help you.