Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 14-Apr-2024 17:24:42 JST Kevin Beaumont

   I wrote up the Delinea Secret Server Cloud security incident situation: https://doublepulsar.com/delinea-has-cloud-security-incident-in-thycotic-secret-server-gaff-581a33990882

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 14-Apr-2024 18:04:31 JST Kevin Beaumont

     in reply to

     As far as I can see Delinea have no responsible disclosure programme or vulnerability reporting contact.

     They did, however, do a podcast about how to run one 😬 https://delinea.com/events/podcasts/responsible-disclosure-programs-katie-moussouris-casey-ellis

   • Embed this notice
     maswan (maswan@mastodon.acc.sunet.se)'s status on Sunday, 14-Apr-2024 18:09:47 JST maswan

     in reply to

     @GossiTheDog If only the Chief Security Scientist and Advisory CISO at Delinea had had an opportunity to listen to that episode, maybe they would have been better off!

   • Embed this notice
     faebudo (faebudo@ioc.exchange)'s status on Sunday, 14-Apr-2024 20:46:38 JST faebudo

     in reply to

     @GossiTheDog It's in their responsible disclosure policy pdf: securityandvulnerabilities@delinea.com
     here: https://trust.delinea.com/?itemUid=56583ca0-6561-4cf3-a150-8c0c45d214cf

   • Embed this notice
     faebudo (faebudo@ioc.exchange)'s status on Monday, 15-Apr-2024 01:12:16 JST faebudo

     in reply to

     • stephen

     @dmaonR @GossiTheDog I agree. it's also not indexed and you can't google for it. Also I have to assume it's only there for ISO 27001 compliance and not because they use it, when even their support staff doesn't know about their policies and processes concerning security.

   • Embed this notice
     stephen (dmaonr@mastodon.online)'s status on Monday, 15-Apr-2024 01:12:17 JST stephen

     • faebudo

     @GossiTheDog @faebudo If it's not on the contacts webpage it might was well not exist.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 15-Apr-2024 04:02:19 JST Kevin Beaumont

     in reply to

     Delinea have removed the paywall on the IoCs and remediation information.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 15-Apr-2024 04:27:18 JST Kevin Beaumont

     in reply to

     In fairness to Delinea I think they have got on top of this really well now. The remediation guide is top tier.

     They probably want to have a look at their CMS setup for their online portals, eg the podcast and marketing content is really well search engine optimised, but the security content (including responsible disclosure policy) is on a platform which is really search engine unfriendly - most of it is so buried I can’t even find it via Google, I think they might be blocking it by mistake.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 15-Apr-2024 04:33:57 JST Kevin Beaumont

     in reply to

     All of Delinea’s product and cloud security info is on trust.delinea.com - but only the front page is indexed by search engines, there’s only two results. They block pages off using robots.txt - including how to report vulnerabilities.

     Other orgs probably want to learn from that.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 15-Apr-2024 04:41:12 JST Kevin Beaumont

     in reply to

     Also, allow me to plug: https://securitytxt.org/

     Example usage: https://www.google.com/.well-known/security.txt

     https://www.meta.com/.well-known/security.txt