Reality on Responsible Vulnerability Disclousure in Malaysia

Coming from working with Malaysia Computer Emergency Response Team (MyCERT) and SEC Consult (MY) has taught me a reality of responsibly vulnerability disclosure in Malaysia.

Speaking based on my experience, having to directly communicate with vendors. I can say most vendors here are not yet ready to receive any reports of security issues with their products. They always assume you tried to blackmail them and became so defensive. Also, their legal dept and PR dept is not happy with you, for doing some funny stuff with their web/product without first getting their consent.

Take examples of the following vulnerability report:

• https://portswigger.net/daily-swig/critical-flaw-found-in-mybiz-procurement-software

The vendor fails to respond to all my email sent to them across multiple channels, but somehow able to respond to portswigger blogpost.

Timeline:

2018-02-22: Contacting vendor through [email protected] (no response)
2018-02-27: Request update from the vendor (no response)
2018-03-13: Trying to contact via web form http://www.mybiz.net/contact-us (no response)
2018-05-14: Public release of security advisory 

Another example is from my previous blog post, this particular vendor is threating to sue our company over FREE security report.

My best experience from doing the vulnerability responsible disclosure is with this report:

• https://sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc-media-player-ios-app/

The CTO itself acknowledge the report, and very quick to issue fixes.

Responsible Disclosure Awareness

I presented at OWASP.MY Meetup in 2018 about the workflow of responsible disclosure, you can check the slide here

That all about reporting the vulnerability of local vendor products.

Moving Forward

What if you would like to report vulnerability at a particular website who happens to own by Malaysia entity? For example, you found security vulnerability at web something[.]gov[.]my or even any domain ending with dot MY, how do you report it?

You can always report to MyCERT or National Cyber Security Agency (NACSA) thru their web form or just email them.

• MyCERT: http://mycert.org.my/portal/full?id=9eb77829-7dd4-4180-814f-de3a539b7a01
• NACSA: https://www.nacsa.gov.my/incident_report.php

I often send report to MyCERT as I familiar with their escalating SOP, and they also help you a lot with escalating the issue to relevant parties.

When you report to MyCERT or NACSA, don’t expect to receive any credit if the vulnerability gets patched. For me, it’s better not to put your self in legal trouble because you doing some funny stuff on other people web. Not worth the credit you wanted with the legal trouble you might have later. Might also affect your future career.. you know sape nak budak nakal kind of mindset.

Akhir Kata

remember, kalau ada orang datang dan berzikir “kita/kami buat semua ini tak amik duit dan hanya buat ini demi negara tercinta” itu adalah tahi lembu.

Ok bye