How can I privately report vulnerabilities?

Alright, I'll ask it again in public.

 

How can I privately report vulnerabilities that I found in Sandboxie?

 

I wrote a letter to support@sandboxie.com and I got: "We only handle licensing questions." I messaged , and she said that issues and security problems are handled in the forums.

I don't think it's a good practice to post vulnerabilities on public forums — it simply means full disclosure. One of the issues I am planning to report is an Elevation of Privileges that can be pretty severe for an enterprise environment. I'll report it and request a CVE ID for it as soon as I create a working proof-of-concept. So, I want to contact with your development team to make sure they have time to fix it.

Do you really want me to post everything on a public forum, effectively making it a zero-day exploit?

Parents
  • Hi diversenok,

    I agree, posting it publicly is not a good idea.

    If it's truly as critical as you say, I would upload the working proof of concept to a cloud and send a private email to support@sandboxie with a link.

    You probably will not be able to speak directly with the devs but you never know. The idea of this possible security leak has me very concern and I have no doubt the devs will look into your results.

    The quicker done the better.

    Sam

  • What devs? Do you see any Sophos devs here? It took them months to recover from their own self-inflicted DDoS attack. The old forums are gone forever and we are left with this POS. And the buy links are still "in maintenance" after more than 2 months.

    Since Sophos took over, they have done the absolute minimum required to keep Sandboxie barely running in Win 10 while they collected payments. There is a long list of problems that are being "looked in to" but not fixed.

    I'm switching to the cracked version to get around this licensing incompetence. The crackers at least have some devs working. They maybe can do something about vul. if you post the details here assuming it is real.

Reply
  • What devs? Do you see any Sophos devs here? It took them months to recover from their own self-inflicted DDoS attack. The old forums are gone forever and we are left with this POS. And the buy links are still "in maintenance" after more than 2 months.

    Since Sophos took over, they have done the absolute minimum required to keep Sandboxie barely running in Win 10 while they collected payments. There is a long list of problems that are being "looked in to" but not fixed.

    I'm switching to the cracked version to get around this licensing incompetence. The crackers at least have some devs working. They maybe can do something about vul. if you post the details here assuming it is real.

Children