Vulnerability Disclosure Policy through the eyes of a bug hunter

November 23, 2020

Quote Saxx

A Vulnerability Disclosure Policy (VDP) helps organisations be more secure. Yet, still too few still understand what a VDP is and why every organisation needs one. Let’s see the value of VDP through the eyes of an ethical hacker. We chat with SaxX, who shares his thoughts and experiences about vulnerability disclosure.

Hello SaxX! Please introduce yourself in a few words.

My name is Clement Domingo aka SaxX. I am a cybersecurity engineer, bug hunter and I am part of the Hexpresso Team.

I started doing Bug Bounty four years ago now – I was completely unfamiliar with the concept until I met Freeman and Onemore, YesWeHack’s co-founders, at “La Nuit du Hack”. After quite some discussion, one thing led to another, and they eventually told me, “Hey, why don’t you try Bug Bounty?”.

I quickly got into it and became very active for three years. Since last year, I’ve been taking it easy and getting involved in other projects. However, I plan to gradually get back into it, as I don’t like seeing myself ranked 4th on the platform! (laughs)

View YesWeHack’s global ranking here.

Today’s topic is Vulnerability Disclosure Policy (VDP) rather than Bug Bounty. Can you tell us in your own words what a VDP is?

First of all, VDP has nothing to do with Bug Bounty. When we talk about responsible disclosure, we actually have to ban the term Bug Bounty.

A VDP, to put it very simply, is a communication channel, that an organisation can set up on its website (whether a simple text file or a more detailed web page), through which vulnerability reports would be submitted.

You’ve probably already seen numerous articles in the media explaining the same story over and over again: “Company X has been hacked. However, we’ve learned that 6 months ago, a cybersecurity researcher had tried to contact this company to point out the critical vulnerability exploited today by malicious hackers. Unfortunately, he never managed to get in touch with the right person at the company.”

So in a nutshell, a Vulnerability Disclosure Policy is a communication channel allowing researchers to submit vulnerabilities they wish to report.

Thank you, that’s very clear. Still, many people confuse Bug Bounty and VDP. Can you explain, in your words, the difference between these two approaches?

The first thing is the monetary aspect. When we talk about Bug Bounty, we automatically draw the parallel with cash. Bug Bounty is all about money, about the bounty.

On the contrary, with VDP, there is no financial reward. When you report a vulnerability as part of a Vulnerability Disclosure Policy, it is your moral and civic consciousness that drives you to do so. Therefore, you don’t expect any rewards, you are only doing this so the company can be aware of the vulnerability, qualify it and correct it as quickly as possible. So the major difference between VDP and Bug Bounty is about money!

Another difference is time investment when doing Bug Bounty. You’re invited to a program by a platform and you’re going to spend time on it to find a vulnerability.

VDP is more a matter of coincidence, a “one-shot deal”. You are using a product on the Internet, in your everyday life, and you see something suspicious. Being a cybersecurity researcher, you’re going to want to go further, understand this vulnerability to see what you can do with it. And then, if this vulnerability is valid, and is critical for the company but also for you since you use this product, you will try to get in touch to report it to them.

We made a short video to clearly explain the differences between Bounty Bug and VDP.

Watch the video.

So a Vulnerability Disclosure Policy, as you said, is a channel that organisations set up to hear from well-intentioned people. May we then assume that all companies have a VDP in place?

This is quite far from reality, I’m afraid. In an ideal world, yes, every company (from small businesses to multinationals) should have a VDP. But today, in fact, in France and throughout the world, we realise that many, many companies have absolutely no VDP.

Fun fact, I had a look at the top 30 Alexa sites in France before our chat: only three of them have a Vulnerability Disclosure Policy… And out of the 30, there are about eight or nine that have a Bug Bounty program. Therefore, if we extend this to a sector of activity, to a city or a country, we realise that much remains to be done.

Why do you think the majority of companies don’t have a VDP? Perhaps they simply don’t know what it is?

The first point, as you mentioned, is that very few companies know exactly what a VDP is. And more surprisingly, only a few researchers know exactly what it is. There is a lot of confusion on the subject.

This confusion is often caused by the publication of Bug Bounty programs next to a VDP by some Bug Bounty platforms. From time to time, we can see on Twitter some “conflicts” between researchers and companies: researchers complain about having received only a t-shirt as a reward for a vulnerability when they were expecting to receive a bounty. There is a huge amalgam.

Not so long ago, for instance, an energy drink company launched a wild card program via a Bug Bounty platform. It was a huge scope and a big company, so naturally, you’d think there would be some big rewards at stake. And yet, no, it was a “disguised” VDP, without rewards. Quite a few researchers were fooled and were a bit upset then. Understandably, as they invested time in finding vulnerabilities to receive nothing in return…

There is a real lack of communication, visibility and transparency on the subject. We still need to raise awareness over the topic and help all parties, companies and hunters, understand what VDP is all about.

You said earlier that reporting a vulnerability you identified while using a service is a civic duty. Please elaborate on what you do in such a situation.

The first thing is going directly to the website, try to see if there’s a security.txt or a page saying, “contact us here”. If there is no information, I go on Twitter and send them a DM (direct message). In half the cases, I get an answer. When I don’t, the third step is to ask fellow ethical hackers to get contacts in the company. And if I still don’t have any result, I post a message on Twitter.

Let me explain through a few stories that have happened over the last few months.

The first one happened at the beginning of the first lockdown (mid-March 2020). I was developing an OSINT tool and I tried to run it on a West African government. Pretty soon, I came across something quite big. After 30 minutes, with a small Python script, I had access to all the information of this service which provided: name, first name, email address, postal address, national identity card number of citizens – to sum up, sensitive data.

I found a generic email address on their official website, so I sent an email. No answer came through. Then, I activated my network, messaging a few groups I belong to. I got a lot of feedback, but I was given contacts of engineers who themselves didn’t know whom to contact internally. There was a real lack of visibility about who were the right people within the organisation.

The last step was posting a message on Twitter. I got a lot of replies, but mostly from people who just wanted to know what it was about. In these cases, I don’t give any information to avoid compromising the affected organisation.

Today, more than 6 months after my first contact attempt, I have had no “serious” contact. The vulnerability is still there. This is a rather crazy and negative experience which shows that even government institutions are far from the mark. Here, it was Africa, that’s another subject, but this example is worth mentioning.

The second experience I want to share is a bit funnier and I was pleasantly surprised. I was invited by a friend to online fundraising to buy a gift for another friend. Before giving my bank account details, I took a look at the application. Soon enough, I realised that with a little vulnerability, I could have access to the contacts of all the people who had participated in this fundraiser.

So, the first thing I did: I went on Twitter and sent a DM to the company. The guys got in touch with me fairly quickly and, above all, put me in contact with the head of the cyber team. I spoke to him on the phone to explain my findings and the next day, they sent me a voucher to thank me, as the vulnerability I had found was quite critical. The company didn’t have a Bug Bounty program or VDP. Yet, their Twitter account was quite effective as they were able to redirect the information to the right person quite quickly.

VDP made easy

We have a dedicated White Paper to guide you thanks to best practices and a thorough examination of available tools. Get it today!

And the last anecdote is about a city, Rennes. Again, I was testing the new tool I am developing. I was quickly drawn to a subdomain on a high school website. I realised that I could reinstall the website, and by doing so I could put a webshell that gave me a foot in their server. From their server, I would bounce back to the main site, with all that it entails.

I looked for contact details on the high school website but found no mention on how to report a vulnerability. I found a phone number and tried to call, especially as the vulnerability was critical, I got the voicemail and left two messages but didn’t hear back. Then, I sent a message to the generic email address. No answer.

As this is a religious institution and I have acquaintances in this community, I quickly received contact details, including the headmaster’s. Despite our best efforts, we couldn’t get a hold of each other.

The next day, since I had posted a message on Twitter in the meantime, people sent me the number of the school administrator. The guy had already been alerted by others (I must have been the fifth person to call him). I was shocked: the guy didn’t care. I especially think that he didn’t know what we were talking about and, above all, he wasn’t in charge of this website. It was another provider who had to handle it.

End of this unlikely story: a journalist I know wrote a paper about it and was ultimately able to get the information back to the right people. And finally, after this article, the vulnerability was taken into account and corrected…

This all must be truly frustrating…

Absolutely. I have the feeling that, sometimes, organisations deliberately do not have a point of contact for researchers, because they still have that old fear of having to deal with people who might be a threat.

However, nowadays, there are a lot of good-faith researchers who just want to help these organisations protect themselves.

Patience has limits. As a researcher, you spend a couple of hours or even days to find the right contact, who will then have to agree to listen to you and take your remarks into consideration… All this is very frustrating and, at the end of the day, it doesn’t really make you want to help them.

Have you ever given up?

Yes, clearly, this has happened more than once. When I engage in these steps, it’s only when I find something really critical. I’m not going to disturb people for something minor. But yes, I’ve sometimes given up over the years because I’ve never had a response.

What is your approach when searching for vulnerabilities? Are you really looking for them, or do you “stumble” upon them?

For the two examples above concerning the government and the city, it was not necessarily by pure coincidence as I was testing a tool. But in my daily life, as soon as I use a payment platform, for example, I take a quick look at what’s behind it. I launch a proxy and see the requests, see if I can add a request, for example.

Let’s imagine: I have an amount of 300 euros to pay on a website. If I understand how the code is built and try to put 5 euros instead of 300, will it work? I’m doing this out of curiosity. In 60 to 80 per cent of cases, it works. And in these situations, either you act honestly like I do and try to alert the company, or you take advantage of the vulnerability.

Actually, I’m a bit like a bull who sees red. If I see a bit of red, something that catches my attention, I’ll jump in… As a researcher, I want to see how far I can go, it’s a bit like a game.

Have you ever encountered problems after contacting a company?

No, never. I have my own theory on the subject: I think there are different ways of reporting a vulnerability.

Imagine that you find a vulnerability on any website. You can be very arrogant and say, “I found a vulnerability, your site is not that secure, it’s really c***”. Or, you can have a professional and helpful stance by making the other person understand that a vulnerability can happen to anyone, even the best. You can explain that you have found a vulnerability and you are willing to help them understand the problem and make them feel secure.

There are many researchers who are afraid of referring vulnerabilities to companies because they are fearful of having problems afterwards. I think that, once the image of hackers has been demystified, and once companies understand that there are not only “malicious” people in the hacker community, things will get much better.

Today, there are still a lot of people who find vulnerabilities but don’t dare to make the jump, so they keep them to themselves… And, unfortunately, it can be very damaging for companies if an ill-intentioned person finds them instead.

Thank you, and keep up the great work!

If you would like more information on how YesWeHack can help you set up your VDP, please drop us a message at contact@yeswehack.com