Right before the New Year, some reports of security breaches hit the headlines. The Snapchat data breach was particularly noteworthy. Apparently, Snapchat was notified of the weaknesses by security researchers via private communication to the company, and then also publicly. Snapchat wrote a blog post acknowledging — and giving a clue about exploiting — the vulnerability.
The vulnerability in question was rather simple: A username enumeration vulnerability by an authenticated user (i.e., a weakness that allows any authenticated user to query information about other valid users). A few days later, some attackers posted the usersâ€™ partial phone numbers, usernames, and geographic locations on a publicly registered domain.
A breach like this is a case study in how not to manage a vulnerability disclosure. From the perspective of a software vendor, there are several ways to botch up the breach disclosure process, including the following: