Security Flaw - Report it?

security hacking

This may be a community wiki, I'm not sure.

Imagine a scenario where you discover a security flaw in a company's website while browsing the web. Something involving a change to URL parameters that releases information to you that you otherwise should not have had access to, for example. By changing these fields are you guilty of "hacking"? If so, should you report the security flaw to the company, or is there a legitimate fear of legal repercussions if you admit your "guilt"?

Clarification as requested: This is all external facing, fully accessible .NET pages that accept variables that can have unintended results when modified.

Second Edit: To be clear this is not a company I work for, but another website on the internet that I have no relationship with.


Here are some common sense guidelines when disclosing vulnerabilities to stay out of trouble:

  1. Use a private channel. No company likes getting their security flaws pointed out on a news site. You better have a lot of experience before you post on Full Disclosure.
  2. Never, ever, ever threaten or demand when disclosing a vulnerability. Other than being rude you are likely to find yourself facing the legal firing-squad. Threats includes "if you don't fix this I will post it all over the net" and extortion includes "I want money to help you fix this". Just don't do it.
  3. Make the communication official and traceable. Optimal is if the communication comes from a company you control or similar. That also offers a layer of protection, should they decide that you are an evil Haxxor.
  4. Communicate with the right people. You don't want to speak with first line support, nor the CEO. With a bit of effort you can often find the correct department. In the worst case, look for a CISO or CERT in a large company. Nobody likes the head of the company to come storming into the office demanding to know why this dangerous SEE-KU-L thing is not fixed.

For a more formal set of guidelines you can have a look at CCSS Forum and the OIS Guidelines for Security Vulnerability Reporting and Response. You are primarily interested in the "discovery" and "notification" steps I believe.

No sane company is going to cause you problem you for reporting a vulnerability in private. Letting the legal hounds of hell lose costs a lot of money. However, if they interpret it as an extortion attempt or you go out of your way to shame them they might decide to bring in the legal team to deal with you.


Alert: some stereotypes are made below which may or may not be accurate.

Does said company have a large legal team or has it been around for, say, more than 15 years? If yes, then don't bother. Your well-intentioned disclosure will likely be seen as hacking and they'll have no qualms about releasing their legal team on you.

On the other hand, if the company is newish, if it's seen as understanding things like social media well, and are generally supportive and open with their customers, then yes, go for it.

Related

What is the impact of increasing the httpd process priority (negative nice)?
Server Memory Usage VERY high on new linux dedi box - How to find the issue?
Subdomain on another host (another IP, another provider)
SAN Disk Allocation
Why can't I attach a screen session
Anti-DDoS Question [duplicate]
VMware Vcenter - benefits for small setup?
How can I prevent a process from running under Mac OSX 10.6?
Prevalence of WMI enabled in real Windows Server networks
What is the technology behind Hostname Based SSL (multiple ssl vhosts on single IP)?
Intermittent high ping/latency problem
AngularJS: Select not 2-way binding to model