Responsible Disclosure Examples.
#1
Hi everyone,

I'm still pretty new to all this and I'm really enjoying learning as much as possible. 

I'm looking for examples of reports that would be submitted to companies in order to disclose a bug, does anyone know where I might find some examples? I'm not really fussy about the technical details (and if I'm honest, most of it would probably go over my head!), but I'm looking for examples of best practices when contacting companies. 

I've had a google, and all the info seems to be about where to submit bugs via bug bounties and not the best way to submit bugs. I'm assuming lots of screenshots of the process and any notes that may be relevant? 

I'm sorry if this is the wrong place to post this kind of question and thanks for taking your time to read! 

I'm still VERY early on in my journey when it comes to cyber security, but if anyone can also point me in the direction of good learning resources that I can add to my list I would be very grateful.

Thanks again.
Reply
#2
Welcome to GS. If your goal is to become a bug bounty hunter learning about responsible disclosure is certainly important. As it is with all things though it's better to start at the beginning.

What i mean by that is try to work on your technical skills before diving into the legal and administrative minutia of reporting vulnerabilities. That said i'll give you a quick overview. Now in the interest of full disclosure i personally don't do a lot of bug bounties, but i know a little bit of how the industry works and if i can use that knowledge to help you, i'd consider that a good thing.

Submitting reports through bug bounty programs/bug bounty aggregators can be a viable strategy. Those sites can also offer resources to help you learn about the proper procedure.

But let's say you have found a vulnerability in a website belonging to company and you wish to report your findings directly to them. What you want to do is read their policy on security issues and bug submissions. If it's not mentioned on their website in the terms of service or similar, just go ahead and send an e-mail to them inquiring about their policy on vulnerability disclosure. Tell them you're a security researcher and may have found an issue with something on their site.

If you have a Github and/or website with your work, link your portfolio so they know they're not just dealing with some random person bothering them for nefarious purposes.

If they get back to you and indicate they have policies conducive to this sort of thing, they'll most likely tell you their protocol for these matters. Perhaps they send you an email address and/or refer you so you can get in touch with the person in charge of these things. With the proper info now secured you know where to submit your report.

The way you write your report follows a simple formula. What you want to do is start off with an Executive Summary. What that means is you describe in short the type of vulnerability you have found, where you have found it and what techniques were used to produce the result you got. Remember though that it's a summary, it should be something an Executive can read, understand, and grasp the severity/impact. You can include screenshots in your Executive Summary.

After the Executive Summary you'll be doing a technical write-up, this is mostly aimed at the IT-Team/Security/Incident Response people. In your technical write-up you go over the process of how to reproduce the result you got, in technical detail. You also go into detail of how the vulnerability you found may impact the overall security of the website in question and the company's assets and infrastructure more broadly(If and when appropriate of course, a reflective XSS, for instance, will have less impact on general infrastructure and web assets than say an RCE, or an entire attack-chain) and how it might be used to create adverse effects beyond just the initial vuln.

To conclude you offer suggestions for mitigation, and solutions to the problem you found.

That'll be your report. The team responsible for Security over at the company in question will go over your report and reproduce the conditions that led you to find the vulnerability. In order to verify your findings. After which you will be contacted and if they have a good Vulnerability Disclosure Policy and/or bug bounty program there may be a reward involved, or maybe they'll just say thanks.

If you'd like to post your findings to your website or portfolio you discuss with them how they'd prefer to go about it. Generally they'll need some time to patch before they agree to do a public disclosure. After which you may be able to do a coordinated release. But it depends and can vary from company to company.



That's basically it in a nutshell, it's very important to learn a company's policy towards these sort of things though, for legal purposes. So communication is key.
I hope that gives you some insight, and it's generally how i do a vulnerability report. The core formula of the report; Executive Summary, Technical Write-up, Mitigations. Is in my opinion a good way to approach vuln reports, whether you are writing one for a client, your boss if you work in InfoSec, or submit one as a bug bounty. Your mileage may vary however, and you might want to add more detail, emphasis, or sources, depending on the exact setting. Like i said, this is just the general idea. However i hope this information was useful to you.

And if there are any seasoned bug bounty hunters reading this, please feel free to provide constructive criticism on my post regarding this. The aim is to provide the best information and answers to the question presented to us.
Reply
#3
(05-03-2021, 09:28 AM)Vector Wrote: Welcome to GS. If your goal is to become a bug bounty hunter learning about responsible disclosure is certainly important. As it is with all things though it's better to start at the beginning......

This absolutely fantastic, thankyou for such a comprehensive response. 

I've been thinking of making a blog where I write up my progress in CTF's so I have evidence of my learning and practice with regards to communicating processes. The format and advice you have provided is perfect and I'm looking forward to writing it up. 

Thanks again, it's good to talk to someone who clearly knows their stuff!
Reply
#4
(05-03-2021, 12:07 PM)Barometer Wrote:
(05-03-2021, 09:28 AM)Vector Wrote: Welcome to GS. If your goal is to become a bug bounty hunter learning about responsible disclosure is certainly important. As it is with all things though it's better to start at the beginning......

This absolutely fantastic, thankyou for such a comprehensive response. 

I've been thinking of making a blog where I write up my progress in CTF's so I have evidence of my learning and practice with regards to communicating processes. The format and advice you have provided is perfect and I'm looking forward to writing it up. 

Thanks again, it's good to talk to someone who clearly knows their stuff!

Thank you for the kind words. I think it's a great idea to start a blog, where you do write-ups of CTFs, as you progress in your studies and skill level you can expand the blog to include some of your independent research and perhaps tooling that you develop in pursuit of your goals.

That way you will not only have documented your journey and progress but simultaneously created a portfolio of your work.
Reply
#5
(05-03-2021, 03:10 PM)Vector Wrote:
(05-03-2021, 12:07 PM)Barometer Wrote:
(05-03-2021, 09:28 AM)Vector Wrote: Welcome to GS. If your goal is to become a bug bounty hunter learning about responsible disclosure is certainly important. As it is with all things though it's better to start at the beginning......

This absolutely fantastic, thankyou for such a comprehensive response. 

I've been thinking of making a blog where I write up my progress in CTF's so I have evidence of my learning and practice with regards to communicating processes. The format and advice you have provided is perfect and I'm looking forward to writing it up. 

Thanks again, it's good to talk to someone who clearly knows their stuff!

Thank you for the kind words. I think it's a great idea to start a blog, where you do write-ups of CTFs, as you progress in your studies and skill level you can expand the blog to include some of your independent research and perhaps tooling that you develop in pursuit of your goals.

That way you will not only have documented your journey and progress but simultaneously created a portfolio of your work.

I'm glad to hear that you think it's a good idea, I was a little uncertain about the idea. 

Thanks again for your guidance and wonderful introduction to the forum. I'm impressed by the level of the content when compared to some of the other forums out there!
Reply
#6
For sure! GreySec aspires to be a high quality resource for anything and everything related to computer science with a particular emphasis on InfoSec and Cyber Security more generally. Our other ventures include OSS Development and Security research.

So your compliment about the level of content is greatly appreciated!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Archival | Document Disclosure | The-Eye D!CE9090 3 5,373 05-16-2020, 06:57 PM
Last Post: Insider