A critical flaw in Delinea's Secret Server SOAP API disclosed this week sent security teams racing to roll out a patch.
A researcher claims he contacted the privileged access management provider weeks ago to alert them to the bug, only to be told he was not eligible to open a case.
Delinea first disclosed the SOAP endpoint flaw on April 12.
By the next day, Delinea teams had rolled out an automatic fix for cloud deployments and a download for on-premises Secret Servers.
Delinea wasn't the first to raise the alarm.
The vulnerability, which still doesn't have an assigned CVE, was first publicly disclosed by researcher Johnny Yu, who provided a detailed analysis of the Delinea Secret Server issue, adding that he had been trying to contact the vendor since Feb. 12 to responsibly disclose the flaw.
After working with the CERT Coordination Center at Carnegie Mellon University and weeks of no response from Delina, Yu decided to release his findings Feb. 10.
After a timeline showing several failed attempts at contacting Delinea and an extension to the disclosure granted by CERT, Yu published his research.
Delinea provided an emailed statement about the status of the mitigation, but did not respond to questions about the timeline of disclosure and response.
The access vendor's silence on the issue leaves open questions about who can submit bugs to the company, under what circumstances they are able to submit, and whether there will be any process changes made to the way Delinea manages disclosures in the future.
She explains, the crushing weight of vulnerability management is taking its toll across the board.
Recently, the National Institute of Science and Technology said it can no longer keep up with the number of bugs submitted to the National Vulnerability Database and asked the government, as well as the private sector, to help.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 16 Apr 2024 22:10:11 +0000