Researchers wait 12 months to report vulnerability with 9.8 out of 10 severity rating


Everyone knows !

There is no obligation to disclose anything you find to anyone.

Having worked in financial services on the blueteam/sysadmin side, the problem I see here is the contract between the two parties.

What the contract should have in writing is that the pentest vendor (Randori) discloses every step of their process and makes recommendations on improvements for each step. The contract may actually say that, in which case I'd consider Randori in breach of contract for failing to disclose this particular 0day.

Now with that being said, if I were their customer I would want to know not just how my perimeter defences were, but how my internal ones performed as well, and if that means they're going to burn a 0-day to do it, well... okay.

Because even if they did do that, my defences should have been able to detect them once they were inside.

The way that I previously ran these kinds of testing cycles (quarterly) was to start out by giving the pentesting vendor nothing and see what they could do. Regardless of if they could break through or not we'd move on to next round of testing.

Next step would be to use a test box provided by the vendor - plug it in to the network but don't authorize it on the NAC and see what they can do.

Next would be to add their box to the NAC whitelist and run a testing round. After that you provide them with a domain account with no permissions for testing and see what they can do, and so on. At every step we would communicate any alerts or incidents triggered by our system that caught what they were doing. Once all testing is done a comprehensive report with recommendations is created and gone over by the IT admin team.

The point of this process was to test the infrastructure at basically every entry point you might get. More often than not they'd end up with Domain Admin at some point, but that wouldn't stop the testing. Once the full report was made we'd get a full breakdown of every step they used to get through our security at various levels.

After that we'd have several discussions on the exact chain of events that led to a compromise, and then work on recommendations to break every link in that chain. You don't just address the initial intrusion, you address each step that allowed intrusion and elevation into your environment.

Side note - this vendor also did physical testing with various offices trying to see what they could gain access to, checking things like card readers, door locks, and employees challenging someone unknown, as well as social engineering over the phone. They were a treat to work with.

Point being that any use of a 0day would have shown up in that testing and been required to have been reported as part of their methods, and the expectation would be that this was a 0day that they had reported to Palo Alto (or whomever) and were currently working with them to get resolved. There wouldn't be a problem with using a 0day as part of their testing so long as the disclosure process had been started, those can take a while to fix and that timeline is on the 3rd party vendor. Not reporting the use of the 0day to us would have been breach of contract, and admitting to not starting disclosure with the 3rd party would cause immediate review of the contract by legal and the assigned cybersec manager.

To sum up, I know that camDown and that's the no joke!