Reporting security issues?
Question asked by Soroush Dalili - January 26 at 7:08 AM
Answered
Hi,
I have identified a number of important security issues in your product. Could you please tell me how I can report them securely without them being publicly accessible to everyone before the patch?

It seems I cannot create a support ticket without actually owning a license. There is also no form to submit the security issues.

Thanks
Soroush

7 Replies

Reply to Thread
0
echoDreamz Replied
Email sales@smartertools.com I am sure they will get you to where you need to go to report the issue.

Christopher

0
Soroush Dalili Replied
Thanks for the advise. I still wait for the official response today as I do not want to share this sensitive issues with the wrong audience. If get nothing by 4pm GMT, I will have no choice other than using the sales email. 

It would be great if a page or a knowledge base entry could be created to advise people how to report security issues.
0
John Marx Replied
Dude, every company has a support email address to fill out. Are you saying creating an account, writing in a public forum is easier than emailing? No response okay but it seems like yours words are more of a threat than trying to be helpful. Just saying.
0
Soroush Dalili Replied
Sorry you have miss-understood me. As I have said before, by 4pm I am going to send the info to their Sales email if there is no response. How is this a threat if that's how they work? I do not normally send the issue details to the sales department in the first place to decrease the exposure and to speed up the process (it is backfiring here atm though). 

I am just trying to responsibly disclose some issues to the relevant technical team, and I don't think a company should make this difficult to encourage security researchers to report responsibly. I have sent them a DM in their Twitter account but I haven't received any response yet. 

From what I have gathered so far, there is no support email unless I have missed it. There is a form you should use and that is only available to people with a valid license. I don't think it is fair to buy a license just for this purpose as I am basically contributing for free.

0
John Marx Replied
I agree on the form but stating "You must complete this task by X time" or I will expose you is a threat (in my mind). This is a community of people that believe in the product. Every product (I mean every product) has flaws. Contacting sales is not a bad thing. It's listed everywhere on the site. The management team actively watch these threads as well and you can even PM (private message) them. When I read what you wrote all I thought was all the bad in the world trying to come out and threaten. You could've even emailed sales (or any of their emails) and state "I believe I have found a security hole and would like to privately discuss it.". That would've been better.

Beyond that I do believe a security@smartertools.com would be a great addition (if it doesn't already exist).

1
Derek Curtis Replied
Employee Post Marked As Answer
Any perceived security issues can be sent to security@smartertools.com as well -- no need for an account to do that. (And I say "perceived" not to be arrogant or to discredit anyone, it's just that what some see as security issues may not necessarily BE security issues.)
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
0
Soroush Dalili Replied
Thanks for providing me with the email. I will be in touch shortly.

Reply to Thread