Security Flaw - Report it?

Question

This may be a community wiki, I'm not sure.

Imagine a scenario where you discover a security flaw in a company's website while browsing the web. Something involving a change to URL parameters that releases information to you that you otherwise should not have had access to, for example. By changing these fields are you guilty of "hacking"? If so, should you report the security flaw to the company, or is there a legitimate fear of legal repercussions if you admit your "guilt"?

Clarification as requested: This is all external facing, fully accessible .NET pages that accept variables that can have unintended results when modified.

Second Edit: To be clear this is not a company I work for, but another website on the internet that I have no relationship with.

Please clarifty where you are browsing from - inside the company domain or outside? — zedman9991, Jun 07 '11 at 13:59

score 4 · Answer 1 · answered Jun 07 '11 at 14:17

Alert: some stereotypes are made below which may or may not be accurate.

Does said company have a large legal team or has it been around for, say, more than 15 years? If yes, then don't bother. Your well-intentioned disclosure will likely be seen as hacking and they'll have no qualms about releasing their legal team on you.

On the other hand, if the company is newish, if it's seen as understanding things like social media well, and are generally supportive and open with their customers, then yes, go for it.

This is an interesting viewpoint, but I'm not sure it's worth the risk for any "average Joe" to make this decision. It's too bad that someone trying to be a good e-Samaritan has to be concerned with being sued. — Kyle Smith, Jun 07 '11 at 15:10

score 3 · Accepted Answer · answered Jun 07 '11 at 15:08

Here are some common sense guidelines when disclosing vulnerabilities to stay out of trouble:

Use a private channel. No company likes getting their security flaws pointed out on a news site. You better have a lot of experience before you post on Full Disclosure.
Never, ever, ever threaten or demand when disclosing a vulnerability. Other than being rude you are likely to find yourself facing the legal firing-squad. Threats includes "if you don't fix this I will post it all over the net" and extortion includes "I want money to help you fix this". Just don't do it.
Make the communication official and traceable. Optimal is if the communication comes from a company you control or similar. That also offers a layer of protection, should they decide that you are an evil Haxxor.
Communicate with the right people. You don't want to speak with first line support, nor the CEO. With a bit of effort you can often find the correct department. In the worst case, look for a CISO or CERT in a large company. Nobody likes the head of the company to come storming into the office demanding to know why this dangerous SEE-KU-L thing is not fixed.

For a more formal set of guidelines you can have a look at CCSS Forum and the OIS Guidelines for Security Vulnerability Reporting and Response. You are primarily interested in the "discovery" and "notification" steps I believe.

No sane company is going to cause you problem you for reporting a vulnerability in private. Letting the legal hounds of hell lose costs a lot of money. However, if they interpret it as an extortion attempt or you go out of your way to shame them they might decide to bring in the legal team to deal with you.

Security Flaw - Report it?

2 Answers2