Search This Blog

Powered by Blogger.

Blog Archive

Labels

Navigating Vulnerability Disclosure: Lessons from Delinea’s Secret Server Flaw

Incident involving Delinea’s Secret Server SOAP API highlighted the challenges faced by both parties in the disclosure process.

Lessons from Delinea’s Secret Server Flaw

Recently, an incident involving Delinea’s Secret Server SOAP API highlighted the challenges faced by both parties in the disclosure process.

Vulnerability Details

A major flaw in Delinea's Secret Server SOAP API was discovered this week, prompting security professionals to rush to implement a fix. However, a researcher claims he contacted the privileged access management provider weeks ago to notify them of the flaw, only to be informed he was not authorized to file a case.

Vendor Response

Delinea first revealed the SOAP endpoint issue on April 12. The next day, Delinea teams released an automatic remedy for cloud deployments and a download for on-premises Secret Servers. But Delinea was not the first to sound the alarm.

The vulnerability, which has yet to be issued a CVE, was first publicly exposed by researcher Johnny Yu, who presented a full study of the Delinea Secret Server issue and stated that he had been attempting to contact the vendor since February 12 to responsibly disclose the bug. After working with Carnegie Mellon University's CERT Coordination Center and seeing no reaction from Delina for weeks, Yu decided to publish his findings on February 10.

Silence and Questions

The lack of information regarding the reaction indicates "issues" with Delina's patching protocols, according to Callie Guenther, senior manager of threat research at Critical Start. However, she emphasizes that the crushing weight of vulnerability management is harming everyone.

The National Institute of Science and Technology (NIST) recently stated that it is unable to keep up with the number of vulnerabilities submitted to the National Vulnerability Database and has requested assistance from both the government and the commercial sector.

Lessons Learned: How to Resolve this Situation?

1. Inclusivity Matters

Vendors must revisit their bug submission policies. Excluding independent researchers like Yu can hinder the discovery of critical flaws. A more inclusive approach—one that welcomes input from all corners—can only strengthen our collective security posture.

2. Communication Is Key

Prompt communication is essential. When researchers encounter vulnerabilities, they need a clear channel to report them. Vendors should actively engage with the security community, acknowledge submissions promptly, and provide transparent timelines for fixes.

3. Transparency Builds Trust

Delinea’s delayed response eroded trust. Transparency about the vulnerability’s impact, the timeline for resolution, and the steps taken to mitigate risk fosters goodwill. Vendors should be open about their processes and demonstrate commitment to security.

4. Collaboration Over Competition

Researchers and vendors share a common goal: securing systems. Rather than racing against each other, they should collaborate. A cooperative approach benefits everyone—vendors get timely fixes, and researchers contribute to a safer digital ecosystem.

Share it:

API Bug

Deliniea

Secret Server Flaw

Vulnerabilities and Exploits

Vulnerability Disclosure