What are my responsibilities, as a developer, if I stumble upon a zero day exploit in a widely used third party piece of software?
Should the developer only tell the third party to limit the affect?
What if the third party doesn’t come clean to all its user base, who else should be alerted?
What are the responsibilities of the third party software providers to alert their user base of vulnerabilities in their software?
7
Your question covers law, ethics and self preservation. I personally think in a perfect world you would tell the software producer and they should have two months to patch it after which you should submit it to a vulnerability database. The software producer should be receptive and grateful and possibly even work with you to patch the problem and test the patch.
Unfortunately, we don’t live in a perfect world. Software companies have a tendency of seeing disclosure as an attack and have a tendency to sue. Even private disclosure carries risks.
What I would do is research how the company has acted in the past. If they reacted negatively I might submit the information anonymously and leave it at that. If they are more receptive I would get in contact with them and submit the information being as nonthreatening as possible, working with them to decided how to proceed.
I would avoid giving a hostile, litigious company my details and I would not advise just dropping it onto the internet.
2