Hey everyone,
I’m looking for some advice on a "silent patch" situation. About three weeks ago, I discovered a critical RCE in a product that has several high paid tiers ($500–$2,000/mo).
I followed the proper disclosure process and reported it privately via GHSA (GitHub Security Advisory) and followed up with a few professional emails.
The maintainer never acknowledged the report in the GHSA thread and has completely ignored my emails. yesterday, I just checked their latest release and they silently patched the exact logic I reported. There is no mention of a security fix in the release notes, no CVE, and the GHSA draft is still sitting in triage while they refuse to credit me.
It feels like they’re trying to avoid the "Critical" label on their record to protect their commercial image while taking my research for free.
Since the patch is now public code, am I clear to just publish my own technical write-up and publish their name to the world? Should I bypass them and request a CVE ID directly via MITRE or another CNA to ensure the vulnerability is actually documented? I’m not asking for a bounty, but I want the credit for my professional portfolio, and it feels shady for a company charging $2k/month to sweep a full RCE under the rug.
Has anyone else dealt with maintainers who take the fix but refuse to acknowledge the researcher?
Any advice on how to handle this without being "the bad guy" would be appreciated.
[link] [comments]
from hacking: security in practice https://ift.tt/3w5Tn6k
Comments
Post a Comment