1. 37
  1.  

  2. 3

    I wonder if this reporter received more than just a T-shirt in exchange for reporting what is, in essence, an existential bug for Cloudflare - and a huge part of the internet.

    1. 2

      Very nice write-up.

      I found this line interesting:

      Because Cloudflare is running a vulnerability disclosure program on HackerOne, it’s likely that HackerOne’s triage team won’t forward the report to Cloudflare unless it indicates that the vulnerability is actually exploitable. Therefore, I decided to do a demonstration to show that vulnerability can actually be exploited.

      That seems bad? I feel like an organisation would prefer to know about a vulnerability before it being exploited, so a program which doesn’t bring un-exploited vulnerabilities to the org in a timely fashion seems unfortunate.

      (Yeah, I know that there’s a difference between a vulnerability being “exploitable” and being “exploited”, but… oftentimes, the only way to know is into actually exploit it.)

      1. 4

        That seems bad? I feel like an organisation would prefer to know about a vulnerability before it being exploited, so a program which doesn’t bring un-exploited vulnerabilities to the org in a timely fashion seems unfortunate.

        Probably depends how many people you get rocking up going “This header is missing” or “That page doesn’t have a meta tag specifying x” under the guise of “OMG you’re gonna get hacked”. You receive enough of those emails to your security@ address and you start thinking the world is full of automated report generators connected up to email accounts, rather than actual people finding things that are worth looking at and fixing. (Also having non-technical people on your security@ email list is fun because they take all of these pseudo-spam reports as terrible and important.)

        I could see in the face of all of those you filter them down to “here is an exploit” as the threshold before you engage. Not sure I’d like the external platform gating that though, although maybe that’s part of HackerOne’s value add.

        1. 1

          Yeah, +1 to this. And it can actually be pretty difficult to confirm/disconfirm some reports without a solid reproduction case to follow or a proof-of-concept to look at.

          If someone writes to you and claims to have found some vulnerability that would be top-severity if real, 95% of the time they’re just mistaken. If you investigated all of those thoroughly, you’d waste a ton of time. Part of the reporter’s duty is to make a convincing case that they’re not just fooling themselves, unfortunately.

          (I’ve been the person raising a false or mostly-false alarm internally a couple of times. It’s easy to end up in those situations. Proof of concept is super important.)

          The tricky part here is that some things are hard to exploit without exposing the vulnerability publicly. :-/