Finding a zero-day (0-day) is probably one of the best feelings in the world for a hacker, and sometimes we receive these submissions through Detectify Crowdsource, our bug bounty platform. This article will explain how Detectify handles 0-days with transparency to responsibly work with vendors, researchers and customers with the disclosure.
What is a 0-day?
A 0-day is a security vulnerability that does not have a patch or solution for it, and often only known to the attacker who has discovered it. The existence of an 0-day in a certain technology often impacts all instances using the product. It’s a fast-growing area of research, where both malicious and ethical hackers are seeking these out to explore new ways of testing the limits of IT security.
For example, Google runs their own program called Project Zero where their employees are tasked to research 0-days in any kind of software their users may be using to help secure the end user. They disclose what they find to vendors privately, and impose a strict 90-day disclosure deadline.
Does Detectify scan for 0-days?
Since we are collaborating with some of the best ethical hackers, we occasionally receive 0-day submissions as well. As we work with vulnerability scanning, we choose not to scan for 0-days right away. Why? Because we wouldn’t be able to provide an actionable solution for the customer, nor would it be ethical for us to make an 0-day public and leave vendors and customers vulnerable to attacks.
We need to work together with the vendor that is responsible for the product to develop a solution that mitigates the vulnerability.
How Detectify handles 0-days reports
When a researcher shares a 0-day with us, the first thing we do is try to validate that it is actually a 0-day. Once confirmed, we inform the researcher that we will contact the affected vendor on their behalf so they are aware of the 0-day vulnerability.
Many vendors do have a responsible disclosure program, SIRT/CIRT incident response team or someone involved in the security which makes it easier to find the right contact quickly. At this stage, we involve our legal team to help us structure the information correctly, so that the details that leads to the discovery of the 0-day are clearly communicated without misunderstandings to the vendor.
When are 0-days disclosed by Detectify?
When a 0-day is disclosed, the vendor has 45 days to fix the issue before we release the security module that will be tested against our customers web applications. If the vendor fixes the security vulnerability within these 45 days, we will release the security test as soon as possible after the fix.
Our disclosure deadline is set to 45 days as we believe this should be sufficient for a vendor developing web applications. In rare cases where the vendor asks for more time, we will extend the deadline.
0-days reported to us by Crowdsource hackers:
Here are some 0-days we’ve received and can disclose:
One of our Crowdsource hackers reported several 0-days in extensions for Magento sold by the same vendor. All the extensions had an endpoint where attackers could send system commands that would be directly executed by the server, and according to the vendor, that endpoint was present due to “support purposes”.
Frans Rosén sent us the 0-day in ACME-Challenge where the path was reflected in the content, thus leading to XSS. Together him and security researcher, Linus Särud, published their quirky research here.
How does Detectify help?
Detectify is on a mission to scale up ethical hacker knowledge by automating vulnerability research we receive from Detectify Crowdsource, and make available it for every cybersecurity stakeholders to work with – even 0-days.
Stay up-to-date about new vulnerability tests released including patched 0-day vulnerabilities. Our testbed has 1500+ security tests for known vulnerabilities submitted by the Detectify Crowdsource community, as well as from our in-house researchers. Sign up today for a 14-day free trial.