Very few people in IT have the distinction of being considered a “security researcher” by title alone. Despite that designation, many of us run across security vulnerabilities every day and sometimes just go “ah, someone should report that!” rather than taking the initiative to wear the security researcher hat and handle it ourselves.
In this presentation I will cover three diverse situations of vulnerabilities that I ran across and how I went about getting them remediated. Situations include: a PII/PHI vulnerability in a SaaS application with 90,000 affected users; an open-source CMS SQL injection vulnerability (CVE-2010-4006); and a client’s web site that was riddled with vulnerability from a contractor’s poor programming practices.
If you’ve wondered what you as a system administrator, web developer, or general IT enthusiast should do in these kinds of situations, come hear real stories and learn from my actions and related mistakes! Learn about requesting a CVE, contacting vendors, 0-day vs. vendor-friendly disclosure, and more. The presentation will feature code snippets/exploitation of each vulnerability and include screenshots (where allowed) of the situations.