23 Dec 2023 | Reading time: ~3 min
InfoSec Education - How NOT to react to a responsible disclosure (CVE-2023-47444)
#podcast #leonardo-tamiano #interview
Table of contents
Introduction
In this video posted on my dear friend Leonardo Tamiano’s channel, we discuss a CVE recently discovered by me, the CVE-2023-47444, found in opencart, an open source e-commerce written in PHP.
Since Leonardo is very interested in this type of research, he invited me on his channel to discuss the topic and my experience. In the first half he asked me a few questions about how I handled the research, and in the second half we talk about the responsible disclosure process and how it was handled (badly) by the project’s maintaner, who instead of accepting my contribution, he decided to act ignorant and insult the work done.
If you haven’t already done so, subscribe to Leonardo’s channel on youtube, and follow his channel for more research, videos and technical contributions.
(sorry but the podcast is in Italian language only. Maybe some AI tools can help you, btw 😼)
Video
Timestamp
TIMESTAMPS:
00:00 - Introduction
01:08 - Who is 0xbro??
02:17 - OpenCart - The Research Target
03:55 - Time organisation
05:40 - Past research on the project
07:55 - Vulnerability Details (CVE-2023-47444)
20:10 - Thoughts on the activity
22:10 - Vulnerability disclosure approach
25:11 - The (ignorant) response of the developer
29:30 - The importance of the threat model
32:25 - The relationship between programmers and researchers
39:57 - The cost of ignorance
41:00 - Final remarks
42:54 - BONUS - Environment setup for opencart research