Jeffrey Paul: How Not To Run A Vulnerability Disclosure Program

Jeffrey Paul

How Not To Run A Vulnerability Disclosure Program
24 April 2021
( 617 words, approximately 3 minutes reading time. )

I found a small vulnerability in American Express today. Nothing major, but something they’ll definitely want to fix.

I searched and found that they have a special dedicated vulnerability reporting email address. Cool.

I wrote them an email outlining the issue, and mentioning that I intend to publish the finding in 30 days.

They sent me back an autoresponse, saying that to “complete the submission of this report” I have to follow a link. That’s no issue, however, they also (inaccurately) claimed:

Before you submit the report please read the HackerOne Privacy Policy. By clicking on the link below, you confirm that you have read and agree to the terms of the Policy.

First off, fuck you. You don’t get to assert that I agreed to some legal contract (with a third party, no less!) because I clicked a link you sent me. That’s not how any of this works.

Second, why would you make the free donation of important business security information by a complete volunteer to a financial institution used by millions contingent upon agreeing to some random third party service’s legal contract? Are you fucking stupid? You want zero friction in this, even if you have to hire three shifts of inbound security disclosure email ticket triage staff. It’s not like this is Joe Appalachia’s Bumblefuck Credit Union: you’re in the top 10 of the Fortune 50 and have like a billion customers, and the economy of scale here is very nearly visible from the Kuiper belt.

I clicked the link (without reading the HackerOne Privacy Policy, because I can’t possibly have agreed to a contract I have never even seen before). I use NoScript, which blocks Javascript from running in my browser. The page completely failed to render: a blank white screen, not even an “enable javascript, pretty please!” error. I can only assume it did not complete my submission.

AmEx has now twice refused my free donation of security information: first when they handed me off to some third-party service bot which demanded I agree totally to their terms or fuck directly off, and second when the third-party service they picked turned out to be run by idiots that have decided that graceful degradation in the face of feature incompatibility, one of the core foundational tenets of the world wide web since its invention, despite a nice two-decade run simply isn’t important anymore in 2021, and that serving blank pages to… you know, security professionals with javascript disabled (pretty much browser security tip #1), is totally fine.

(Anyone competent and serious about workstation security is either using a whole boatload of different virtual machines for browsing the web, which is an inconvenient pain in the dick, browses with javascript off by default, or both.)

"Disable the fucking scripts." —Ed Snowden

This is a real, actual Snowden quote, as reported verbatim by Bart Gellman in his book, Dark Mirror. (Highly recommended, btw.) He was talking about browser Javascript specifically.

I fired up a VM just for them, not because I want to submit the ticket, but because now I’m curious how deep this shit-filled rabbit hole goes. Loading the submission page prompts me to create an account (value donation friction event #3, OF COURSE) and includes remote-loaded Google ad tracking spyware javascript, too. Why do I even bother? Ain’t one hacker over at HackerOne, it seems.

Check back here on 24th May (my 30 day embargo period was specified in the email they seem to now have ignored) to read about AmEx doing some super duper bush-league amateur hour security mistake, which I’ll give you dollars to donuts is still happening on that date. Cheers!

About The Author

Jeffrey Paul is a hacker and security researcher living in Berlin and the founder of EEQJ, a consulting and research organization.