https://github.com/yeaseen/vuln_discovery_0

https://github.com/yeaseen/vuln_discovery_0

Last synced: 3 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/yeaseen/vuln_discovery_0
• Owner: Yeaseen
• License: gpl-3.0
• Created: 2024-03-09T05:51:01.000Z (9 months ago)
• Default Branch: main
• Last Pushed: 2024-03-23T06:03:08.000Z (8 months ago)
• Last Synced: 2024-03-31T08:21:12.161Z (8 months ago)
• Size: 2.8 MB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# vuln_discovery_0

# Responsible Vulnerability Disclosure Documentation

This repository documents the process of responsibly disclosing a security vulnerability discovered in an Android app of a famous bank in Bangladesh. The name is mutually undisclosed as it's a financial organization and the authority agreed to this. It aims to outline the steps taken to identify, verify, and report the vulnerability to the appropriate parties without exposing sensitive information or compromising the security of the bank's systems and its customers.

## Discovery Process

The vulnerability was discovered during a routine security review of publicly available banking applications.

- Extracted the `APK` file using `MT Manager`

- Decompiled the `APK` file using `jadx` for static analysis.

- Dynamic analysis using `MobSF`

## Reporting Process

1. **Identification of Reporting Channels**: The report was done to the CEO, CTO and the Security team.

2. **Preparation of the Report**: What sensetive keys I found and how it impacts the users' privacy

3. **Submission of the Report**: An official mail was sent.

4. **Follow-Up**: The initial response was prompt and from the CEO himself. Later, the security team acknowledged the exposed key and quickly relocated the key in the next update.

## Communication Log

- **First Submission Date**: Fri, Mar 8, 2024

  


    

  

- **Initial Response from CEO**: Yes. Fri, Mar 9, 2024

  


    

  

- **Security Team's Response**: Yes. Mar 11, 2024

  


    

  

- **My recommendation**:

  


    

  

- **Update Notice**: Yes. Mar 13, 2024

  


    

  


## Conclusion

Responsible vulnerability disclosure is crucial in the collaborative effort to secure digital assets and protect users. This documentation aims to contribute to the broader community's understanding and practice of ethical vulnerability research and reporting.