Erm, no. Dude if I spend my time figuring out vulnerabilities to your system and don't exploit em, instead help you close them, and I am not even a cardholder... I will not jump through any hoops for any amount of my time. They owe me, I owe them shit. I am being kind and generous by not exploiting or giving the exploit to others, or using it to fuck up AMEX reputation.
Especially true if I want my anonymity preserved.
Jumping through hoops? Dude he got in contact with someone. Instead he got a "piss off" response.
I for one think it's a seriously unrealistic expectation to think that AMEX or insert large corp here will handle security vulnerabilities over twitter.
It's the equivalent of telling a teller or their doorman about it.
> I for one think it's a seriously unrealistic expectation to think that AMEX or insert large corp here will handle security vulnerabilities over twitter.
a) Agree. b) That said, I think the fact that the person on the other end of the American Express Twitter account was accepting to talk to the guy over DM, and thereby actually /was/ willing to handle a security vulnerability over Twitter, is the most damning argument against this guy's rant; he insisted on using a "modern protocol", but apparently telling someone using Twitter, when they were perfectly happy to let him do so, was not modern enough: he insisted it be on his terms or no terms, e-mail or nothing.
No, he did not appear to want to discuss it over twitter either. They offered that.
I assume he was looking for a specific email address and perhaps a PGP key. Sure, that would be nice. But using the telephone is a pretty common method of transmitting important, time-sensitive information.
As someone who does community management/marketing, I take claims like security issues very seriously. If someone at 4pm messaged such over Twitter to my startup, I'd call the CEO and all engineers immediately, regardless of the time. I don't think I'm a doorman there, but rather the first line of defense/listening.
To be fair, he asked repeatedly for a proper security contact and claims they don't publish one for whatever reason.
If the only way to contact you is through clueless support people who have a script that doesn't include your option, yeah, that's a problem. But usually it's the customer who is screwed by this. This time, it bit the company instead.
That said, you can always ask if someone knows a security contact on BugTraq. Someone there will probably know.
Well, I didn't get a "piss off" response, I got a nice warm thank you. Perhaps he could have persevered just a bit? I had to do a bit of hand-holding to get the CSR to whom I spoke to understand the problem, but once she did, it was easy.
At first glance you made some progress and that makes him seem unrealistic in his demands for electronic communication, but what makes you think that the issue was reported properly upstream? I think that you got lucky to find someone who understood that it was a real problem, and unless they have an internal escalation procedure in place, there's a decent chance it will die with her or her supervisor. There's really no way of knowing if your report had any effect or not. Other large corporations have measures in place to handle vulnerability reports, it seems like a problem for a large CC provider to not have a clear procedure in place for handling these issues.
When a non-customer does you the courtesy of pointing out serious flaws in your system, you do not ask them to detail it publicly via twitter.
Nor is it a good idea to make them jump through hoops. You know what method of disclosure doesn't have hoops? Posting an email to the Full Disclosure mailing list.
Look. I'm all for giving the company a chance but if you put up arbitrary hoops up for me to jump through... Why shouldn't I take the path of least resistance again?
I have to agree with the others here, while you may have done what you believe is the "right" thing, you have absolutely no idea if that avenue of inquiry went anywhere, and based on my experience working in an enterprise, I would guess that even if it did go anywhere from there it would take weeks for meetings to get scheduled, and months for people to get assigned to actually do anything about it.
I disagree. If you want to be a black hat and exploit or sell the vulnerability, then fine. But if you're going to claim to be a good guy, you need to make more than a half-hearted effort to do the right thing.
In this case, the exploit is so simple and obvious that he could have fit it in a twitter DM (which is a method of communication that was specifically offered to him)
No. The only way to be a bad guy is to exploit the vulnerability. He didn't do anything wrong, he did something very right that most people couldn't and wouldn't have done, and he was rebuffed for it.
It's not like they're owed this. If not for this good guy wasting his time trying to contact them and publishing this they'd have probably been vulnerable for years.
The person in the thread who made the call could only have done so with the help of the initial disclosure. He couldn't have helped make Amex more secure until the security researcher showed him how.
i agree with you that preserving anonymity is a valid goal. spending 20-30 minutes on the phone is not how one should run something like a whistle-blower's hotline.
i don't agree with the idea that you are "...being kind and generous by not exploiting...".
hardly. exploiting the vulnerability is clearly and objectively illegal. It is likely to affect not only the company itself but also any innocent customers one might defraud.
Especially true if I want my anonymity preserved.
Jumping through hoops? Dude he got in contact with someone. Instead he got a "piss off" response.