How To Contribute/Report Vulnerabilities

So you want to contribute and report a vulnerability to a vendor? Well good for you.

While this started as a personal project, it became quickly apparent that there were many more researchers working independently. The Site has now been built to provide a place for independent researchers to contribute their findings and provide a unified front to the industry.

While we cannot force you to do anything or follow this process, we highly encourage you to submit your findings through the IoD project. By doing this, you make it easier for vendors, who are new to this whole thing, deal with one group rather than many different ones.

Your findings can be sent in with others to vendors so that many fixes can be done in one release, rather than over many smaller releases.

Credit will be given for your discovery's of course. We are not out to hog any glory here. As well, you will be fully involved in communications with the vendor throughout the process. IoD will just be there to lend a hand to either side. We also will hopefully be able to verify any of your findings independently from our "Dong Library" of devices on hand should the need arise.

You can investigate anything you wish on whatever devices you want. We don't have the budget to send devices to everyone who wants to investigate, but if you prove yourself to be a decent and reliable contributor, as we acquire more devices we may start sending them out, especially if some have not been scrutinized yet.

Even if you don't have any devices, that doesn't mean you can't help. Since the associated software is usually freely available, there is a fair amount of investigation possible just from static and some dynamic analysis. Just check out our Dong List to see all the devices we've identified the software for. (If we've missed one, please let us know)


Submitting through the IoD

The IoD uses Dradis for our report generation and collation of our findings. With this we can send in vulnerabilities in large chunks rather than as a constant stream. This way many fixes can be done into one release, rather than causing many smaller changes over a large number of releases.

The easiest way is to send your findings as a Dradis CE project export to info@internetofdon.gs. To do this, goto Export Results -> Save and Restore Project -> Export as a package. Make sure that you add an #Author# section to each finding so you get proper credit.

Installing Dradis CE locally is easiest through the Penetration Testers Framework. Just install PTF and from the prompt type:

use module modules/reporting/dradisframework  
install  

The other option is to use Kali Linux which has Dradis CE already included. Just run the following:

service dradis start  
Connect to 127.0.0.1:3000  

Note: You may have to change permissions on the /usr/lib/dradis directory to allow the dradis user to write the export temp file. "chmod 777 /usr/lib/dradis" should solve it.