CVE-2018–8414: A Case Study in Responsible Disclosure by Matt Nelson.
From the post:
The process of vulnerability disclosure can be riddled with frustrations, concerns about ethics, and communication failure. I have had tons of bugs go well. I have had tons of bugs go poorly.
I submit a lot of bugs, through both bounty programs (Bugcrowd/HackerOne) and direct reporting lines (Microsoft). I’m not here to discuss ethics. I’m not here to provide a solution to the great “vulnerability disclosure” debate. I am simply here to share one experience that really stood out to me, and I hope it causes some reflection on the reporting processes for all vendors going forward.
First, I’d like to give a little background on myself and my relationship with vulnerability research.
I’m not an experienced reverse engineer. I’m not a full-time developer. Do I know C/C++ well? No. I’m relatively new to the industry (3 years in). I give up my free time to do research and close my knowledge gaps. I don’t find crazy kernel memory leaks, rather, I find often overlooked user-mode logic bugs (DACL overwrite bugs, anyone?).
Most importantly, I do vulnerability research (VR) as a hobby in order to learn technical concepts I’m interested in that don’t necessarily apply directly to my day job. While limited, my experience in VR comes with the same pains that everyone else has.
…
I mention this as one data point in the submission of bug reports and as encouragement to engage in bug hunting, even if you aren’t a kernel geek.
If you follow the disclosure “ethics” described in this post, the “us” who benefits includes the CIA, NSA, Saudi Arabia, Israel, and a host of others.