Mark Esler

Coordinated vulnerability disclosure can require a lot of effort from project maintainers and reporters. There are may reasons to participate, and hopefully user security is top priority for everyone involved.

But sometimes things fall apart. This is my first time using Full Disclosure after #MetaMask rejected a security issue in `private wipeSensitiveData = () => '';` even though they cite a previous vuln fix with an in-line `[Future improvement]` comment.

https://hexproof.dev/datagrams/metamask-demonic-mobile-android/

MetaMask Demonic Mobile: seed phrase survives autolock on Android

MetaMask Android v7.76.0 does not zero the seed phrase or vault password after autolock. Same class as Demonic (CVE-2022-32969). Fix named in source since 2023.

hexproof
May 17 at 2:55amWeb
Show threadMark Esler1d ago

I reported this and another vuln to MetaMask over #hackerone . It was the only communication platform available. Clearly, this needed a private report.

MetaMask marked this and another report as Not Applicable.

Curl accepted a report as Informative, which is great. Glad I reported a security bug properly. But, now I have a -5 HackerOne score and am locked out of coordinated vulnerability disclosure via H1.

I put users first by emailing curl a second vuln and breaking the HackerOne ToS.

Show threadMark Esler1d ago

I have a deep respect for OSS projects. Especially OSS projects who take on the additional, unpayed, labor of CNA work and who fight to reduce that toil for others and bad CVSS metrics. OSS maintainers volunteer an immense amount of their life to provide free software to us all.

Independent security researchers also do free labor to secure software.

Coordinated vulnerability disclosure requires people to meet each other.