Recently, an incident involving Delinea’s Secret Server SOAP API highlighted the challenges faced by both parties in the disclosure process.
Vulnerability Details
A major flaw in Delinea’s Secret Server SOAP API was discovered this week, prompting security professionals to rush to implement a fix. However, a researcher claims he contacted the privileged access management provider weeks ago to notify them of the flaw, only to be informed he was not authorized to file a case.
Vendor Response
Delinea first revealed the SOAP endpoint issue on April 12. The next day, Delinea teams released an automatic remedy for cloud deployments and a download for on-premises Secret Servers. But Delinea was not the first to sound the alarm.
The vulnerability, which has yet to be issued a CVE, was first publicly exposed by researcher Johnny Yu, who presented a full study of the Delinea Secret Server issue and stated that he had been attempting to contact the vendor since February 12 to responsibly disclose the bug. After working with Carnegie Mellon University’s CERT Coordination Center and seeing no reactio
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.