Cold-email a VP, publish in Phrack

April 14 2012

In the popular sense of the word, I’m no super-hacker. While coding, my sunglasses and fingerless gloves stay on the desk.

Acid Burn (Hackers 1995) in a trench coat

My collection of sexy trenchcoats is also lacking. (credit)

Despite these disadvantages, back in September I discovered a vulnerability in the web interface of a Netgear wireless router. Now published in Phrack, my exploit code allowed for nasty things like stealing admin credentials and hiding network devices. I wanted to let Netgear know, so I wrote my first disclosure: a friendly email briefly describing myself, the flaw, and my intentions of publishing.

Unfortunately, that was the easy part. A Netgear security email was nowhere to be found. In fact, I couldn’t even find a way to submit a support ticket (this has since changed).

If I could just get my message to a human, I figured it would end up in the right place. After all, who wants to be responsible for blowing off a security flaw? On Netgear’s contact page, I found a press relations email. No response. Investor relations channel? Nope (I must not be rich enough). Support emails found by Googling? Nothing.

This obviously wasn’t going to work. It was time to pivot.

Ten more minutes of searching got me everything I needed: the direct emails of five random support staff, plus the most executive position I could muster: the VP of engineering. Brazenly dumping them all in the recipient box, I tried again.

Within 10 minutes, one of the support staff got back to me, eagerly CC’ing his boss’s boss. I apologized, and my ensuing communication with Netgear was pleasant and to the point.

My takeaway: it’s easier to beg for forgiveness than to ask for permission. Well, that, and don’t let a lack of fingerless gloves keep you from submitting to Phrack.


Subscribe to future posts via email or rss.