The Coordinated Vulnerability Disclosure (CVD) process:
Discovery: The researcher finds the problem.
Private Notification: The researcher contacts the vendor/owner directly and privately. No public information is released yet.
The Embargo Period: The researcher and vendor agree on a timeframe for the fix (industry standard is often 90 days, popularized by Google Project Zero).
Remediation: The vendor develops and deploys a patch.
Public Disclosure: Once the patch is live (or the deadline expires), the researcher publishes their findings, often assigned a CVE (Common Vulnerabilities and Exposures) ID.
Proof of Concept (PoC): Technical details or code showing exactly how to exploit the flaw may be released to help defenders understand the risk, usually after users have had time to patch.
You say the flaw is “fundamental”, suggesting you don’t think it can be patched? I guess I’d inform my investment manager during the “private notification” phase as well, then. It’s possible you’re wrong about its patchability, of course, so I’d recommend carrying on with CVD regardless.
What if you’ve got no credentials, but the flaw is so serious that it will not matter if known.
This is a true hypothetical curiosity. I do not know anything of value. A bunch of people here like to call me crazy, and I’ve rambled on and on many times in ways that likely confirm their notions. A person like this is not likely to fair very well when operating well outside their social caste unless they already have hand holds on the rungs of the ladder above. Still, there are some rather surprising areas of technology without adequate fundamental research. Perhaps it is hypothetically better to have John Conner in the world of Cyberdyne. If someone had killed Apache early, the Internet would not be the same heaven of democracy, though that is not a very good intuitive scope of analogy. Just something to ponder if one were to be in such a situation.
It comes down to whether you can demonstrate this flaw. If you have a way to show it actually working then credentials shouldn’t matter.
If your attempts at disclosure are being ignored then check:
Am I presenting this in a way that makes me seem like a deranged crazy person?
Am I a deranged crazy person?
Try to resolve those. If the company you’re trying to contact is still send your emails to the spam bin, maybe try contacting other people who have done disclosure on issues like this before. If you can convince them then they can use their own credibility to advance the issue.
If that doesn’t work then I guess check the “deranged crazy person” things one more time and move on to disclosing it publicly yourself.
The Coordinated Vulnerability Disclosure (CVD) process:
Discovery: The researcher finds the problem.
Private Notification: The researcher contacts the vendor/owner directly and privately. No public information is released yet.
The Embargo Period: The researcher and vendor agree on a timeframe for the fix (industry standard is often 90 days, popularized by Google Project Zero).
Remediation: The vendor develops and deploys a patch.
Public Disclosure: Once the patch is live (or the deadline expires), the researcher publishes their findings, often assigned a CVE (Common Vulnerabilities and Exposures) ID.
Proof of Concept (PoC): Technical details or code showing exactly how to exploit the flaw may be released to help defenders understand the risk, usually after users have had time to patch.
You say the flaw is “fundamental”, suggesting you don’t think it can be patched? I guess I’d inform my investment manager during the “private notification” phase as well, then. It’s possible you’re wrong about its patchability, of course, so I’d recommend carrying on with CVD regardless.
What if you’ve got no credentials, but the flaw is so serious that it will not matter if known.
This is a true hypothetical curiosity. I do not know anything of value. A bunch of people here like to call me crazy, and I’ve rambled on and on many times in ways that likely confirm their notions. A person like this is not likely to fair very well when operating well outside their social caste unless they already have hand holds on the rungs of the ladder above. Still, there are some rather surprising areas of technology without adequate fundamental research. Perhaps it is hypothetically better to have John Conner in the world of Cyberdyne. If someone had killed Apache early, the Internet would not be the same heaven of democracy, though that is not a very good intuitive scope of analogy. Just something to ponder if one were to be in such a situation.
It comes down to whether you can demonstrate this flaw. If you have a way to show it actually working then credentials shouldn’t matter.
If your attempts at disclosure are being ignored then check:
Try to resolve those. If the company you’re trying to contact is still send your emails to the spam bin, maybe try contacting other people who have done disclosure on issues like this before. If you can convince them then they can use their own credibility to advance the issue.
If that doesn’t work then I guess check the “deranged crazy person” things one more time and move on to disclosing it publicly yourself.
Sometimes the whole world does seem crazy. So I’m not liking my odds. Thanks for the rational advice.