Reality on Responsible Vulnerability Disclousure in Malaysia
Bare with my writing, as I'm about 30h+ since my last sleep. yep.
Coming from working with Malaysia Computer Emergency Response Team (MyCERT) and SEC Consult (MY) has taught me a reality of responsibly vulnerability disclosure in Malaysia.
Speaking based on my experience, having to directly communicate with vendors. I can say most vendors here are not yet ready to receive any reports of security issues with their products. They always assume you tried to blackmail them and became so defensive. Also, their legal dept and PR dept is not happy with you, for doing some funny stuff with their web/product without first getting their consent.
Take examples of the following vulnerability report:
- https://portswigger.net/daily-swig/critical-flaw-found-in-mybiz-procurement-software
The vendor fails to respond to all my email sent to them across multiple channels, but somehow able to respond to portswigger blogpost.
Timeline:
2018-02-22: Contacting vendor through [email protected] (no response)
2018-02-27: Request update from the vendor (no response)
2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us (no response)
2018-05-14: Public release of security advisory
Another perfect example is from my previous blog post (http://blog.rz.my/2018/09/how-to-not-write-code-for-banks.html), this particular vendor even threatening to sue over the security report.
My best experience from doing the reporting stuff is with this report:
- https://sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc-media-player-ios-app/
I presented at OWASP.MY Meetup in 2018 about the workflow of responsible disclosure, you can check the slide here
That all about reporting the vulnerability of local vendor products. What if you would like to report vulnerability at a particular website who happens to own by Malaysia entity? For example, you found security vulnerability at web something[.]gov[.]my or even any domain ending with dot MY, how do you report it?
You can always report to MyCERT or National Cyber Security Agency (NACSA) thru their web form or just email them.
- MyCERT: http://mycert.org.my/portal/full?id=9eb77829-7dd4-4180-814f-de3a539b7a01
- NACSA: https://www.nacsa.gov.my/incident_report.php
I often report any security vulnerability to MyCERT as I familiar with their escalating SOP, help you a lot with escalating the issue to relevant parties.
When you report to MyCERT or NACSA, don't expect to receive any credit if the vulnerability gets patched. For me, it's better not to put your self in legal trouble because you doing some funny stuff on their web. Not worth the credit you wanted with the legal trouble you might have later. Might also affect your future career.. you know sape nak budak nakal kind of mindset.
remember, kalau ada orang datang dan berzikir "kita/kami buat semua ini tak amik duit dan hanya buat ini demi negara tercinta" itu adalah tahi lembu.
Ok bye
Hi, saya datang dri masa depan.
ReplyDelete