Greetings @johnjhacking! Sure can, here’s the semi-redacted version of the contact timeline so far:
Friday Night
-
2020-10-16 - Researcher discovers vulnerability
-
2020-10-16 - Researcher direct messages (DM) Vendor via Twitter to all of their Twitter Accounts.
-
2020-10-16 - Researcher submits contact form at Vendor website.
-
2020-10-16 - Researcher requests CVE.
-
2020-10-17 - Researcher inboxes Vendor via Twitter DM, again, to confirm receipt of DM.
-
2020-10-17 - Researcher live-chats to customer support of Vendor and support agent confirms they will forward report to engineering team.
-
2020-10-18 - Researcher cancels CVE request and emails appropriate CNA (Google CNA covers Open Handset Alliance members, who run Android [Smart TV’s are Android and TCL is a member as they make Alcatel phones]*.
-
2020-10-20 - Researcher inboxes Vendor via Twitter DM, again. Researcher is feeling ghosted as Twitter account is actively posting, but not replying.
-
2020-10-20 - Researcher blind emails security @ company dot com.
-
2020-10-20 - Researcher posts here on The “looking for a contact at XYZ company” thread requesting assistance in contacting the security team at TCL.
-
2020-10-20 - Researcher phones Customer Support requesting assistance, or to forward the report to the engineering team. Phone agent states they will escalate it.
-
2020-10-21 - A fellow researcher reaches out via Twitter DM from reading this message board and supplies contact details from within TCL. Main researcher emails that contact**.
-
2020-10-21 - Vendor’s Customer Support finally replies to live-chat on 2020-10-16 via email with the following message ***:
“Hope this email finds you well. We have carefully reviewed your email, may we verify for you further elaborate your concern about our XXXXXX TV model?”
-
2020-10-21 - Researcher replies to above model number request, while CC’ing the security contact within TCL, stating that it affects ALL of the TV model numbers that are running the firmware number which is stated in the email on 16th.
Thursday today, no response from security team yet (approaching 7 days).
Eventually this Vendor will respond. I hope this timeline helps others out there doing off-platform security reports. Sometimes they’re just as fun as looking for the bugs! Will edit this post as the timeline changes.
** Feel free to DM me on Twitter for the TCL contact, if you need it. I’m not sure if it works yet though. Thank you to the guy who sent it to me, you know who you are!
*** Fully prepared report example: CVE-2020-15590 - Private Internet Access VPN for Linux – Exposure of Sensitive Information to an Unauthorized Actor - Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
Always include semi-standard titles like vuln/exploit, details, mitigation, links so that the bug scraping bots out there can distribute your reports properly. Make it easy for the bots!
Above report in GitHub mode: security/SICK-2020-001.md at master · sickcodes/security · GitHub
And in Markdown mode: https://raw.githubusercontent.com/sickcodes/security/master/advisories/SICK-2020-001.md
Feel free to copy the format above.
NB: Even if MITRE doesn’t assign a CVE for your vulnerability, it is obviously still in the general interest of humanity to know about software bugs that, especially for people who use that software. Consider self-publishing reports like I have started doing: CVE-2020-27402 - Hindotech HK1 TV Box - Root Privilege Escalation - Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!. It may still get picked up by bug scraping bots and save somebody’s computer from ransomware one day!