Password manager report gets researcher booted from Bugcrowd

(Jan Faßbender / Open Knowledge Foundation Deutschland / Flickr / CC-BY 4.0 Jugend hackt)


Written by

The author of newly-published research that examines flaws in password managers has been kicked off Bugcrowd, a popular vulnerability-reporting platform, after one of the companies named in the research reported the author for violating Bugcrowd’s terms of service.

Bugcrowd shut down Adrian Bednarek’s account after he violated the company’s rules on “unauthorized disclosure” by telling a reporter about a vulnerability in LastPass, a password management service. The vulnerability is an old bug that another researcher had already reported, but hadn’t been fixed.

According to a disclosure timeline he shared with CyberScoop, Bednarek found himself banned from Bugcrowd on Feb 12., a day after he said he spoke with The Washington Post for a report that his consulting company, Independent Security Evaluators (ISE), ultimately published Tuesday. Bednarek had reported the vulnerability to Bugcrowd on Jan. 19. After being told it was a duplicate, he raised concerns that the bug still hadn’t been fixed.

Bednarek told CyberScoop he wants to be reinstated and help improve the platform’s terms of service.

“I’m going to reach out to [Bugcrowd] and clarify the situation and hopefully work with them” to help make the disclosure rules clearer, he said Tuesday.

Despite the behind-the-scenes kerfuffle, LastPass on Tuesday released a patch for the vulnerability, which the company said affected a legacy application that accounts for less than 0.2 percent of LastPass usage. If exploited, the Windows-based vulnerability could allow an attacker to recover a LastPass user’s master password from a computer’s memory.

Bednarek conceded that he had violated Bugcrowd’s terms of service, but complained that they were overly broad and could be used to unfairly ban researchers.

“If these issues got past this firewall of these third-party bug-platforms and they reached the companies, they might take some issues more seriously,” he said. “I think some information can get lost in the whole process of using a third-party platform.”

For Bednarek, the episode pointed to a broader industry issue: despite progress, the process by which researchers report software vulnerabilities to organizations is still generally “a gamble,” he said. “Sometimes it goes smoothly, sometimes there’s a lot of friction.”

A LastPass spokesperson said the company “is fully supportive of responsible disclosure of vulnerability reports” and has been “working with dozens of security researchers through Bugcrowd for many years.”

Since its founding in 2012, Bugcrowd has emerged as a widely-used clearinghouse for companies to learn about and fix their network vulnerabilities. The San Francisco-based company boasts big corporate clients like Hewlett Packard and Mastercard.

In response to Bednarek’s comments, Bugcrowd Chief Security Officer David Baker told CyberScoop: “We are always happy to discuss feedback and suggestions with the researcher as well as to discuss reinstatement.”

Tuesday’s research, which covered vulnerabilities in four other credential-storing services, doesn’t change the fact that security experts, including Bednarek recommend using password managers as a means of avoiding duplicate passwords that can fall prey to hackers.

-In this Story-

Bugcrowd, password manager, security research, vulnerability disclosure