Since January 2026 to April 2026, I reported a security vulnerabilities through the vendor's HackerOne program in accordance with the responsible disclosure process.
The reports were promptly acknowledged and later moved into a triaged/pending state. Over the following weeks, multiple requests for status updates and feedback were submitted. Despite the program's published response commitments, no meaningful communication, remediation status, or resolution details were provided.
Additionally, I previously contacted the HackerOne Mediation Team regarding this matter and requested assistance due to the vendor's prolonged unresponsiveness. Unfortunately, I have not received any response or update from the Mediation Team for several months.
Timeline for one of the bugs:
March 19, 2026, 6:27pm UTC -- bug sent to vendor with all the details
March 19, 2026, 6:32pm UTC -- vendor set status 'pending program review'
March 23, 2026, 5:44pm UTC -- asking vendor for the comment/feedback; no response
April 7, 2026, 9:30am UTC -- asking vendor for the comment/feedback; no response
April 14, 2026, 9:28am UTC -- asking vendor for the comment/feedback; no response
April 21, 2026, 8:08am UTC -- asking vendor for the comment/feedback; no response
May 7, 2026, 8:24am UTC -- asking HackerOne for mediations; no response
May 9, 2026, 4:18am UTC -- asking vendor for the comment/feedback; no response
May 14, 2026, 9:08am UTC -- asking vendor for the comment/feedback; no response
June 9, 2026 -- asking vendor for the comment/feedback; no response
June 11, 2026 -- full disclosure
As of today, nearly two months have elapsed since the initial submission. The vendor has failed to provide substantive (or any) feedback or maintain communication regarding the report.
Responsible disclosure relies on cooperation between researchers and vendors. While researchers are expected to report vulnerabilities privately and allow adequate time for remediation, vendors are expected to engage in the process and communicate within their stated disclosure framework.
Given the prolonged vendor unresponsiveness, repeated missed response deadlines, and the apparent abandonment of the report, I consider the responsible disclosure process exhausted.
The vulnerability is therefore being disclosed in full.
Full technical details follow below:
- https://code610.blogspot.com
- https://www.patreon.com/cw/code610proton
Thank you for all the support.
Brak komentarzy:
Prześlij komentarz