As big fans of open source, we feel the urge to support the community and contribute to the projects we like. And because our code is ugly as hell, we try to do it at least by reporting bugs and security vulnerabilities. It may not look so at the first sight, but developers are people like anybody else. And so are their personalities and their attitude. Some of them are thankful for every feedback they get back from their users, some of them are reserved at first until you prove yourself knowledgeable enough about the problem, some of them do not even reply but fix the issue, but as in every aspect of life there are some that do not care about security.
It is a great satisfaction to get a quick response from a developer with the confirmation of the vulnerability and that it was hot-fixed, and it will be patched in the next release. I know, a bounty is a great thing, but even a simple thank you and a mention in the release notes is what makes people feel good about the project and continue to support it in the future. Even if sometimes the developers do not understand the reported vulnerability, a kind attitude and interest in the topic are what motivates the researchers to patiently explain the vulnerability to you and demonstrate it using proof of concept code.
On the other hand, there is the other kind of attitude that makes the researchers not so happy and pushes them from responsible disclosure based on the respect to a yeah-no-NDA full disclosure.
Let me give you an example. Last month we have reported a common, quite easy to fix, but critical vulnerability to project we use ourselves. A single developer who according to the code lacks experience but has a big dedication to the project develops the project. The user base of the project is approximately 40k users. We wrote a short mail to the developer explaining the vulnerability, the impacted versions, offered a PoC and described possible counter-measures, our motivation and asked for permission to post disclosure after it will be patched. The good thing is that we got a reply within 24h. The bad thing is that it was like “What are you trying to tell me? A large majority of websites is vulnerable to this attack! Why did you pick out my project, that’s irresponsible.” Well, ok, maybe we misunderstood each other.
So we replied with a broader explanation of the vulnerability, added a PoC, explained a possible attack scenario and the impact on the users. To eliminate future confusion I have explained again what my motivation is and offered help with an explanation of the vulnerability and re-testing the application after the fix is implemented. If you guessed that the reply was WontFix, you were right. Partially. It was “Here is the repo on github, I look forward to seeing your patch”. So much for motivation.
What the developers sometimes do not understand is that it’s not only them who spend their free time to contribute to the project, but so do the researchers who report the vulnerabilities to them. The motivation of their actions is the same as the motivation of the developer, to make the project better and safer to use for it’s users. The expected reward for their work is the same too, appreciation of their contribution.
So please, Be kind to your local security researcher.