Kevin BeaumontApr 14, 2024
I wrote up the Delinea Secret Server Cloud security incident situation: https://doublepulsar.com/delinea-has-cloud-security-incident-in-thycotic-secret-server-gaff-581a33990882
Delinea has cloud security incident in Thycotic Secret Server gaff

This is a weird one. Customers of Delinea Secret Server Cloud had a mysterious outage on Friday due to a “security incident” – this was visible on a service status page: Delinea Secret Server – also…

DoublePulsar
Show threadKevin Beaumont

As far as I can see Delinea have no responsible disclosure programme or vulnerability reporting contact.

They did, however, do a podcast about how to run one 😬 https://delinea.com/events/podcasts/responsible-disclosure-programs-katie-moussouris-casey-ellis

Podcast: Responsible Disclosure Programs | Moussouris, Ellis

Katie Moussouris and Casey Ellis join Joe and Mike to talk all things responsibility disclosure – the good, the bad, and the ugly.

Delinea
Apr 14, 2024 at 9:03amWeb
Show threadKevin BeaumontApr 14, 2024
Delinea have removed the paywall on the IoCs and remediation information.
Show threadKevin BeaumontApr 14, 2024

In fairness to Delinea I think they have got on top of this really well now. The remediation guide is top tier.

They probably want to have a look at their CMS setup for their online portals, eg the podcast and marketing content is really well search engine optimised, but the security content (including responsible disclosure policy) is on a platform which is really search engine unfriendly - most of it is so buried I can’t even find it via Google, I think they might be blocking it by mistake.

Show threadKevin BeaumontApr 14, 2024

All of Delinea’s product and cloud security info is on trust.delinea.com - but only the front page is indexed by search engines, there’s only two results. They block pages off using robots.txt - including how to report vulnerabilities.

Other orgs probably want to learn from that.

Show threadKevin BeaumontApr 14, 2024

Also, allow me to plug: https://securitytxt.org/

Example usage: https://www.google.com/.well-known/security.txt

https://www.meta.com/.well-known/security.txt

security.txt

A proposed standard that allows websites to define security policies.

security.txt
Show threadInternet.nlApr 14, 2024
@GossiTheDog
👍 For these two there is still some room for improvement…
- https://en.internet.nl/site/meta.com/2735641/#control-panel-31
- https://en.internet.nl/site/google.com/2735642/#control-panel-31
Website test: meta.com

Test for modern Internet Standards IPv6, DNSSEC, HTTPS, HSTS, DMARC, DKIM, SPF, STARTTLS, DANE, RPKI and security.txt

Show threadDrew Scott DanielsApr 14, 2024
@GossiTheDog and for Wordpress there are plugins like this one (that has source code and supports people using several languages to collect the relevant data): https://github.com/austinheap/wordpress-security-txt?tab=readme-ov-file I haven’t tried this one, but it looks useful.
GitHub - austinheap/wordpress-security-txt: A plugin for serving `security.txt` in WordPress 4.9+, based on configuration settings. https://securitytext.org/

A plugin for serving `security.txt` in WordPress 4.9+, based on configuration settings. https://securitytext.org/ - austinheap/wordpress-security-txt

GitHub
Show threadBrian ClarkApr 14, 2024
@drewdaniels @GossiTheDog unfortunately not maintained since 2021
Show threadDrew Scott DanielsApr 14, 2024
@deepthoughts10 @GossiTheDog Wordpress is a pain to add things. ☹️
Yeah, the one I linked to may not even work: https://github.com/austinheap/wordpress-security-txt/issues/7
I’ll keep looking or maybe write my own plugin. I remember there are a few ways to put in arbitrary file locations without a plugin but that may not work on all hosting providers.
404 when trying to access .well-known/security.txt · Issue #7 · austinheap/wordpress-security-txt

First, thank you for this plugin - I was very happy to find it :) I've just installed the plugin and enabled it on the setting section. For some reason, when I'm trying to access .well-known/securi...

GitHub
Show threadgaryApr 14, 2024
@GossiTheDog sales and mkt plus seo sound like good advice and areas to conc on for many - lots of optimzations possible but track all efforts with competing analytics platforms to get comprehensive feedback on efforts #metrics #deep pockets of knowledge
Show threadDrew Scott DanielsApr 14, 2024
@GossiTheDog thanks. This IoC document is so much better at proving no access was made (in most cases) rather than just a lack of evidence.
Show threadmaswanApr 14, 2024
@GossiTheDog If only the Chief Security Scientist and Advisory CISO at Delinea had had an opportunity to listen to that episode, maybe they would have been better off!
Show threadIrveApr 14, 2024
@maswan @GossiTheDog perhaps it was a desperate attempt to force one into existence
Show threadpH_Apr 14, 2024
@GossiTheDog oof the irony
Show threadfaebudoApr 14, 2024
@GossiTheDog It's in their responsible disclosure policy pdf: [email protected]
here: https://trust.delinea.com/?itemUid=56583ca0-6561-4cf3-a150-8c0c45d214cf
Show threadEuph0r14Apr 14, 2024

@faebudo @GossiTheDog Internet archive shows it already existed in March at-least. Wonder how easily it could be found / if thats where it was reported to by Cert and the original researcher.

Anyways big snafu as the original contact the researcher had should have guided him there..

Show threadJoshua SmallApr 14, 2024
@faebudo @GossiTheDog I like how that document says vulnerability reports should be encrypted but doesn't list a key or any method of encryption.