this post was submitted on 21 Aug 2024
1 points (100.0% liked)

Cybersecurity

5 readers
63 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
shellsharks@fedia.io
tweedge@fedia.io
1
A company appears to be abusing #BugCrowd’s #bugbounty program to hide essential details of a critical vulnerability. The company itself has rated the vulnerability as low severity. This has led many (fedia.io)
submitted 6 months ago by harrysintonen@infosec.exchange to c/cybersecurity@fedia.io
6 comments fedilink hide all child comments
 

A company appears to be abusing #BugCrowd’s #bugbounty program to hide essential details of a critical vulnerability. The company itself has rated the vulnerability as low severity. This has led many to disregard the vulnerability, which may have resulted in unpatched systems that remain vulnerable.

"I would like to remind you that as a researcher using the BugCrowd platform to submit this issue you are bound by the BugCrowd standard disclosure terms and you may not blog or disclose any information on the exploitation of this vulnerability."

I were to follow these rules, it would mean that countless of client systems could remain vulnerable to this critical vulnerability.

I’ve mostly had good experiences with bug bounty programs before this incident. Sure, I’ve had some disagreements at times, but I’ve never seen a program being abused like this before.

#responsibledisclosure #infosec #cybersecurity

you are viewing a single comment's thread
view the rest of the comments
[–] harrysintonen@infosec.exchange 1 points 1 month ago

The company doing this is https://www.n-able.com/ - here's are the details: https://sintonen.fi/advisories/n-able-ecosystem-agent-improper-certificate-validation.txt

...except for the PoC exploit which is insanely simple to pull off. Anyone with #mitmproxy and half a brain can do it.