I promised I would make a quick post detailing my CVE submission process, so here it is.
Initial Discovery
October 20th 2020:
I initially discovered this vulnerability while performing a Web Application Penetration Test for a client. In doing a bit more research, I found out that there was only one other CVE / vulnerability out there for this specific software and that the XSS I discovered was not. Because of this, I decided to go forward with a responsible disclosure.
Responsible Disclosure: In short, a responsible disclosure is the process of attempting to reach out to a vendor is a swift manner to address a security concern in efforts to remediate the issue and push out a fix.
October 22nd, 2020 1:20PM:
I began the process to reach out to Dundas via a chat function within their website. I stated that I was a Security Engineer and recently discovered a vulnerability while doing a security assessment for a client, and that I’d like to speak with whoever handles these types of concerns / issues. I was given the following response from a staff member:
“It’s company policy not to share contact info for our staff, but you may feel free to reach out to them on LinkedIn”
Clearly they’re not looking to help me help them.
October 22nd, 2020 1:36PM:
Next I looked for a contact email which made the most sense to reach out to. support@dundas.com seemed like a good email.
No reply.
October 27th, 2020 9:40AM:
I did my best to space out the timing in between attempted corrsepondance as to allow them time to review my emails, messages, etc. and reply. I then decided Monday’s are maybe not the best day to reach out, so I went for a Tuesday and followed the advice of the staff member who told me to reach out to someone on LinkedIn. Who better than a Senior Software Developer?
As you can see above, LinkedIn only let me type 300 characters, forcing me to get straight and to the point.
No reply.
November 9th, 2020 9:46AM:
Fourth times the charm? Nope. This time I reached out on a Monday. This was less of me trying to now work with them, and more of a respectful heads-up that this will be disclosed to MITRE for a CVE and then published publicly.
No reply.
As you can see here, I told them I would submit the CVE no later than 12/01/2020.
November 10th, 2020 12:30PM:
I submitted the CVE the next day. Not knowing what to expect, I thought it would be reasonable to wait a week for a response from MITRE.
November 10th, 2020 3:18PM:
Use CVE-2020-28408
…
Use CVE-2020-28409
The same day I was issued the CVE’s. The process was incredible easy and I would recommend anyone to pursue the process after a responsible disclosure to the vendor, assuming they’ll work with you.
