How can I privately report vulnerabilities?

Alright, I'll ask it again in public.

 

How can I privately report vulnerabilities that I found in Sandboxie?

 

I wrote a letter to support@sandboxie.com and I got: "We only handle licensing questions." I messaged , and she said that issues and security problems are handled in the forums.

I don't think it's a good practice to post vulnerabilities on public forums — it simply means full disclosure. One of the issues I am planning to report is an Elevation of Privileges that can be pretty severe for an enterprise environment. I'll report it and request a CVE ID for it as soon as I create a working proof-of-concept. So, I want to contact with your development team to make sure they have time to fix it.

Do you really want me to post everything on a public forum, effectively making it a zero-day exploit?

  • Just go ahead and post it here, so at least the few of us that are left can know what to look out for. Sophos won't do anything about it. Doubtful they even could.

  • Hi diversenok,

    I agree, posting it publicly is not a good idea.

    If it's truly as critical as you say, I would upload the working proof of concept to a cloud and send a private email to support@sandboxie with a link.

    You probably will not be able to speak directly with the devs but you never know. The idea of this possible security leak has me very concern and I have no doubt the devs will look into your results.

    The quicker done the better.

    Sam

  • In reply to Sam777:

    What devs? Do you see any Sophos devs here? It took them months to recover from their own self-inflicted DDoS attack. The old forums are gone forever and we are left with this POS. And the buy links are still "in maintenance" after more than 2 months.

    Since Sophos took over, they have done the absolute minimum required to keep Sandboxie barely running in Win 10 while they collected payments. There is a long list of problems that are being "looked in to" but not fixed.

    I'm switching to the cracked version to get around this licensing incompetence. The crackers at least have some devs working. They maybe can do something about vul. if you post the details here assuming it is real.

  • In reply to Bite Me1:

    Posting exploits publicly is irresponsible and thankfully the OP sees it that way, too. No good can come of it.

    I agree things are a little bumpy with Sandboxie at the moment but I'm confident that it will eventually smooth out.

  • Hi diversenok,

    I am waiting for direction from our management team regarding how to proceed. 

    Sorry for the delays. 

    Regards,

  • In reply to Barb@Sophos:

    Tick tock... tick tock... Any update from management?

  • In reply to Bite Me1:

    Hi Bite Me1,

    I will post an update as soon as I receive it. 

    Regards,

  • In reply to Barb@Sophos:

    The weeks keep passing by. Let me guess. Sophos management is still analyzing the situation. Have they learned what "vulnerability" means?