Experiences of Reporting Vulnerabilities

I thought I would take a moment and memorialize a few experiences with reporting vulnerabilities to companies.  With the below information I am going to keep the companies anonymous.  The below vulnerabilities discussed have been mitigated by the companies in which they were reported too.  I am going too share the good, bad, and ugly ways in which companies handled these reports.

The first experience was contacting a company that publishes content and allows this content to be accessed by their respective customers.  The vulnerability existed in the security between their customers and the content that could be accessed.  With manipulating the URL with an authenticated user you could view other customers content and then it was discovered that without being authenticated you could view this information.  Upon contacting the company directly and working with them, they were appreciative that I reached out to them and I even received a courtesy call from the president of the company expressing his appreciation.

The second experience was working with a company that uses a content delivery network (CDN) to deliver the content, however as they transferred from the authenticated initial page to the material in the CDN the session was not maintained and allowed anyone to access the content without being authenticated.  The company came back again with appreciation for identifying this flaw in their platform.

Now to share a couple of experiences that did not turn out to be as positive during the experience of reporting the vulnerabilities.

The third experience was working with a company that had multiple vulnerabilities including a Cross-Site Request Forgery (CSRF) vulnerability which allows an administrator account to be created while another administrator is authenticated.  Upon reporting this to the company they setup a conference call to discuss it.  When the conference call occurred the company was unprepared with the information that I had provided.  They did not openly acknowledge they had an issue.  Then I sent them the proof-of-concept and notes that I had kept.  Then the conversation started over on the conference call.  I could not believe how ignorant they were in preparing for the conference call and how cocky they were until a real vulnerability was identified in their eyes.

The forth experience was after a user authenticated to a platform to view billing information.  Upon manipulating the URL you could easily view other customers billing information.  The first hurdle we ran into was how and where to report this vulnerability.  The only method of contact was through a customer service phone call.  After calling them they were unsure where to direct the call.  They eventually documented the ticket and escalated it.  About a month later I received a phone call from their attorney to clarify the information that was provided and determine the impact on the customers whose billing information was accessed.  He then went on a rant about not doing this and it was illegal what we did.  Being that I was the one whom the vulnerability was reported too and I had not exploited the vulnerability I just listened.  With that stated I could not believe they had no appreciation for finding and reporting this vulnerability, had it gone unreported it could have turned into a larger issue for the company (if it had not already turned into a larger issue).  Then in conversing a little more with their attorney to identify that their website was controlled by a vendor and the vendor did not have the logs that would demonstrate which records were accessed through this vulnerability and were trying to depend on my records of which customers were impacted (which I did not have).  The company did let me know that the vulnerability was mitigated. In my opinion, they have a lot of other issues to work through than the specific vulnerability that was identified.