If you find a flaw or bug for example in Linux kernel you can create an issue in GitHub, or if you can solve it you can contribute.
How about Finding a flaw in cryptographic protocol?!
If you find a flaw or bug for example in Linux kernel you can create an issue in GitHub, or if you can solve it you can contribute. How about Finding a flaw in cryptographic protocol?!
A protocol is slightly different than a concrete implementation of a piece of software like the linux kernel on GitHub. It is closer to a specification that may be followed by many different implementations.
- How can you report it or flag an issue?
- If you can fix it, is it possible to contribute?
This depends on whether the protocol is something that is deployed and in use, e.g. TLS, or is a protocol that has merely been proposed academically.
If it is a theoretical academic protocol, you would create a paper discussing the attack or relevant shortcomings of the protocol and publish it as appropriate.
If the protocol in question is actually in use in the real world, then you would find who the authors of the protocol are and email them privately. Exactly who you email might vary depending on circumstances: Companies, individual implementors, and standards bodies might all be relevant. Try looking for white papers/RFCs/working groups/etc to locate the appropriate people to contact.
Be sure to include the email:
Vulnerability reporting and disclosure can have multiple, orthogonal approaches and vendor responses may vary. If it is a widely used protocol like TLS your approach and response may very well be different from some random individuals project on GitHub.
Oh, and apparently it's trendy to create a branding campaign for the vulnerability, including a name, logo, and website. Whether or not this is a good practice is debated.
This relates how I dealt with this issue in 1999. I had found an attack on the ISO/IEC 9796(-1) signature scheme. It was closer to practical than another line of effort¹ to break that scheme.
The signature scheme was used by indirect business partners of my employer. It was thus a professional necessity not to make an hostile disclosure. I got internal clearance to contact by email the ISO/IEC committee working on such standard. Initially I was met with some skepticism about the correctness of my computations, and I was not even sure that my padding was exact down to the bit. I had to send an example forgery, which turned out to be correct.
I decided to write my first academic paper². In August 1999, I made on sci.crypt.research (a moderated usenet list for cryptographic research) this public disclosure of the existence of the attack and that I intended to get it published. I told what the attack does, but not how. I gave the hash of an example as commitment, not the example, which could have revealed how the attack works.
The paper was accepted at Eurocrypt 2000. In May 2000 it was published and I made my only (so far) presentation in a cryptographic conference³. In the short Q&A afterwards, when it came to repairing the flaw, a representative of the working group announced that the standard would be withdrawn, following the two attacks, and the lack of convincing repair strategy short of using a hash, as already in ISO/IEC 9796-2.
¹ That other attack worked against a 1-bit variant of the scheme. Unknown to me, it had just been extended to a fully working (if theoretical) attack.
² Also my first use of LaTex. That was a serious obstacle, especially when it came to making the indispensable and relatively complex figure.
³ That was chaotic. The presenter before me got way past schedule, ignoring the moderator's pleas that he concludes. He only finished because he literally fell backstage with a loud noise, which combined with the audience's reaction did allow my presentation to start, only about when it was supposed to end. To try compensate, I flew over the start, which further lowered the percentage of the audience that got my point. I had my share of laughter when I candidly explained that I didn't knew exactly when my own attack worked.
First of all, if the protocol is under use, you have to warn them before publicly announce. Otherwise, there can be very catastrophic results. First day attacks are very common.
Demonstrating only the flaw is a half paper, with countermeasures you will have a good paper. Of course, you have to give time to people to deploy the countermeasures.
update: on examples due to valueble comments;
Or, you try to cash in on it.
If you're any good at finding flaws, there is a lucrative (and legal) yet very grey market in vulnerabilities and zero day exploits. The New York Times have listed some prices and companies that resell these. Outfits like Zerodium in Washington; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln, and a Virginia start-up named Endgame. Typical exploits sell for 35,000 to 160,000 dollars, but you can get up to 500,000 dollars for Apple’s iOS.
All of the security agencies pay to get these, presumably under some form of non disclosure agreements/secrecy legislation. The NSA seems to be the largest client, but the FBI also buys exploits such as for back dooring Firefox/Tor. If you're really good, you should be able to sell the same exploit to multiple buyers. It depends on your contacts as to whether you are able to access this market though.
In the war on terror, it could literally be catastrophic to not exploit such flaws. Hawks would argue that it's your patriotic duty to pass such information onto the security agencies. Stuxnet, Flame and Duqu have all capitalised on zero day exploits with great success at disrupting Iran's nuclear program. It's to protect the children too. Or so the ideology goes. As the whether it's moral/ethical, those issues have been formalised by Obama's Special Assistant to the President and Cybersecurity Coordinator, Michael Daniel:-
This policy is called NOBUS in the US and is for "investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." Examples of it are Dual_EC_DRBG, cracking Diffie-Hellman and EternalBlue in Windows. Quoting, "as a general rule, tries to focus on exploiting vulnerabilities used in its targets’ software".
In summary, there's lots of money to be made. And you'd be contributing to your country's security as JFK asked of us all.
Update:
Latest (March 2019) NY Times estimate of this market now puts it at \$12B. Salaries >> \$200,000 working for companies like Darkmatter or NSO Group breaking WhatsApp and Skype traffic.
Update2:
Zerodium is now offering up to $2,500,000 per exploit. Ka-ching:-
