How do I report a security vulnerability about a trusted certificate authority?

It sounds like your issue is that this vulnerability is bigger than you know what to do with.

The rules of responsible disclosure, as decribed here, say that you should contact the vendor and negotiate a period of time - between 1 week and 6 months, depending on the depth of the changes required - in which they can implement a patch, revoke and re-issue certificates, publish security bulletins, etc, before you go public with your findings. The intention is that at the end of the negotiated period you get your public recognition, but your going public can't do any more harm - if the vendor has done their job properly.

If figuring out how to contact them / negotiate a Responsible Disclosure period, go public with your results at the end, etc, is too big for you, or you don't know how to get started, then I suggest contacting and partnering with a well-known security researcher who already has established publication channels. Find a big name who has already published similar vulnerabilities and call them up! It sounds like you won't have any problem getting their attention.

Also congratulations! I look forward to seeing your name on a paper in 6 months!


Such a claim is generally quite serious.

While reaching out to the vendor in question is a responsible matter, you should certainly consider notifying the relevant root store security teams, since they are responsible for designing, evaluating, and applying the security controls to prevent this, and will likely need to directly work with the CA to ascertain the issues.

In terms of responsible disclosure you should also immediately report this to each of the major root store operators: Google, Microsoft, Apple, Mozilla. Just search for "<vendor> report security bug", and the first result will tell you. These are just some of the vendors affected - e.g. not just the CA.

If you are unsure about how to do this, wish to remain anonymous, or need assistance coordinating, the Chromium security team is happy to investigate, contact the appropriate CA, and coordinate with the broader industry. See https://www.chromium.org/Home/chromium-security/reporting-security-bugs for details.


Congratulations! Sounds like a major find.

First, generate some proof. The github.com SSL certificate sounds like a great start. Make sure you keep all the network traces you need to show exactly what happened.

You need to determine if you broke any laws or T&Cs while doing this. If the CA does not have a bug bounty, you almost certainly did. In that case, it is important for you to stay anonymous. One concern here is that you may have already revealed your identity during the testing. For example, you probably had to pay for that certificate; how did you make the payment? If you've already broken the law in a non-anonymous way, this pretty much rules out any strong arm tactics against the CA.

While it's commendable that you want to reach out to the CA, bear in mind that you do have a possibility of selling this vulnerability. This would potentially be worth $100,000 from an organisation like vupen. Up to you how you feel about that.

If you do want to disclose, you could do it yourself, but I agree with Mike's recommendation to reach out to an established researcher. I think you could aim a little higher than a university researcher. A celebrity like Bruce Schnier or Dan Kaminsky would be interested in this. You would have to trust them with the details, and use their weight to have the issue taken seriously.

Regarding CloudFlare getting an early view of HeartBleed, this is standard practice for major vulnerabilities - that key providers get an early warning. But that comes much later in the process. In the case of HeartBleed, after patches had been developed (but not publicly released). I'm not sure how that would apply to this vulnerability. It seems that every certificate issued by the CA is now suspect.

Whatever you choose to do, good luck!