Responsible Disclosure a year in review - 2016Frank Breedijk
Let's start by killing the suspense, we only sent out two rewards in 2016.
Does this mean we did not get any reports in 2016?
No, in total over 1000 tickets were created. Over 4/5 of them were either spam, noise (like account confirmation emails and such) and abuse messages for our Atom86 team. We received an processed an additional 66 tickets form HoneyPots like Project Honeypot and Shadowserver.
In total we received 26 RD reports in 2016. In the following catagories:
- Lucky 13 - Crypto is hard, when the new Lucky13 vulnerability was made public we received a lot of (opporunistic) reports about us being just as vulnerable as the rest of the world. All reports were declined because the first report was done by OpenSSL themselves.
- Content spoofing in a 404 page. It was possible to trigger the Apache default 404 handler with a special string and insert, poperly escaped, non-clickable content in that page. No rewards were sent because the content was properly escaped and this is default Apache behaviour.
- SPF. People are still pointing us, incorrectly, to missing SPF records.
- File path exposure. Both turned out to be incorrect reports
- SSL - Lack of PFS. Turned out to be a bug in the tester's tool
- Privilege escalation. Reported internally and found to be correct.
- Information disclosuire. An error handler was showing too much, debug, information.
- Domain takeover. Incorrect claim that a domain hosted on Google could be taken over.
- Clickjack. In correct report
- Admin panels. Our webmail 2FA authenticaiton form was incorrectly perceived to be an admin panel.