If you see a major security vulnerability in a tech company’s hardware or software, the best you can do is reach out and hope you get a response.
And if they don’t you end up like Grant Thomas, the 14-year-old boy who found a severe privacy flaw in Apple’s (AAPL) FaceTime internet-calling app and tried, with his mother, to warn the iPhone maker.
But as tempting as it might be to point and laugh at Apple for the FaceTime fail that the firm didn’t patch until Thursday, the company fields security reports better than many.
Meanwhile, many firms rushing to put a chip in one home gadget or another have yet to take the first steps of providing any clear channel for security researchers or individual customers to tip them off about a vulnerability.
Nine days for a zero-day
Thompson, a Tucson, Ariz., high-school freshman, found the FaceTime bug when trying to add a friend to a group call before a Fortnite game—and realized that the friend’s microphone had gone live without him answering.
Apple offers a dedicated email address for security researchers at firstname.lastname@example.org, but it’s not listed on the company’s customer-support page. So Thompson’s mother Michele tried getting the attention of the company’s @AppleSupport Twitter account and eventually tweeted out the news herself.
Nine days after the discovery, Apple responded by deactivating Group FaceTime. The company shipped patches for iOS and macOS Thursday. CNBC reported a high-level Apple executive visited the Thompsons on Friday and may pay Grant a “bug bounty” for reporting the vulnerability. Apple PR did not respond to a request for comment sent Tuesday.
It all looks bad. Tuesday, House Energy & Commerce Committee members Reps. Frank Pallone, Jr. (D-N.J.) and Jan Schakowsky (D-Il.), sent a letter to Apple CEO Tim Cook that said, “we do not believe Apple has been as transparent as this serious issue requires.”
But from a security researcher’s perspective, it also looks like the worst-case scenario of somebody uncovering a vulnerability and then only trying to report it to customer-support contacts insufficiently trained to escalate things to the security team.
“It’s unusual to have someone who finds something like that and doesn’t already know the right channels to go to,” said Katie Moussouris, CEO of Luta Security who in 2010 created the vulnerability-disclosure program for Microsoft (MSFT). The only other example she cited was a case in 2014 of a five-year-old stumbling across a login bug in Microsoft’s Xbox Live service.
“I think we need to give Apple sort of a B- on this, because of the early fumble,” she said.
The problem is much worse elsewhere
Moussouris found that only 6% of firms in the Forbes Global 2000 listing had a dedicated security-reporting channel, as she determined by Web searches and “really hunting around on their pages,” things you’d expect of a typical consumer.
That was the case at two of the more prominent vendors of connected-home gadgets at CES last month, Kohler and Whirlpool. Neither’s site listed a way to flag a hypothetical glitch with their smart oven or connected toilet, leaving buyers to hope that customer-service reps would route their report appropriately.
A Whirlpool publicist said they would do just that, advising customers to call 866-698-2538 and suggesting security researchers e-mail email@example.com. A Kohler publicist did not answer an email sent Tuesday.
Many firms that do accept vulnerability reports also fail to handle them properly. In one memorable 2018 case, Google security researcher Natalie Silvanovich tried to notify Samsung of a bug on its Galaxy S7 Edge phone but got routed into a long series of non-disclosure agreements provided in Korean. After a week, Silvanovich got in touch with people she knew at Samsung’s Knox security team, who pointed her to a barely-advertised e-mail address. Samsung has since fixed that process.
“No one likes external pressure and very few of those kinds of companies have good processes in place to handle these sorts of incidents,” Rich Mogull, CEO of the security firm Securosis explained via email.
What you should do
Two other researchers, however, said that things have at least improved compared to a few years ago.
“Larger companies are increasingly educating their employees on appropriate incident response,” said Chris Vickery, research director at UpGuard Security.
“Anecdotally, I feel that companies are more receptive to security reports, and also more willing to accept that they may have flaws in their product,” said Troy Hunt, who runs the Have I Been Pwned database of username and password breaches.
In the unlikely event that you stumble across a security opening in a gadget, app or service you use, you have to hope these security professionals are right. And to follow their advice.
Don’t blab publicly about the vulnerability, because that will tip off attackers to start exploiting it.
Keep receipts of your attempts to notify the firm. Mogull advised “recording phone calls and archiving emails.”
Consider escalating to a trusted third party. Mogull suggested notifying a security firm you trust. For severe bugs, Moussouris suggested the government’s CERT CC. Vickery advised starting out with government, citing the number of times companies have blamed him as a messenger: “figure out what entity regulates the company’s industry and report it to the agency.”
Don’t try to extort the company. Mogull denounced a recent instance in which a security researcher declined to provide details of a system-keychain bug to Apple because its bug-bounty program covers iOS but not macOS. As he put it: “Don’t be threatening, be helpful.”