Discover how Gentlent addressed its first security vulnerability and the steps taken to enhance platform security, inspired by security researcher Koutrouss Naddara's responsible disclosure.
At Gentlent, we take the security of our platform very seriously. Recently, we encountered our first security vulnerability report, which has led us to improve our security measures and raise awareness about the importance of cybersecurity.
In June 2022, security researcher Koutrouss Naddara reached out to us about a possible security issue on our website. He discovered that our subdomain, developers.gentlent.com, was vulnerable to a subdomain takeover due to a misconfiguration with Gitbook and Cloudflare's Custom Hostnames product.
The issue arose because Gitbook did not release the domain's Cloudflare configuration after we stopped using their product. They also failed to re-check ownership in a way that would have prevented the vulnerability. Furthermore, Cloudflare's dashboard did not show any connection to a third-party, which made it more difficult for us to detect the issue earlier. It's important to acknowledge that we also failed to notice the problem on the domain itself in the first place, which is a crucial lesson for our team.
Upon receiving a reminder email from Koutrouss today, we took immediate action to fix the issue and review other subdomains. We also decided to introduce a bug/security bounty program as a result of this incident.
Here's what we plan to do moving forward:
We will establish a security vulnerability program to encourage security researchers like Koutrouss Naddara to report potential issues. We will also create a Hall of Fame to publicly acknowledge their efforts in helping us improve our security.
To prevent similar issues in the future, we will conduct regular reviews of our domain portfolio and our usage of third-party services. This will help us identify potential vulnerabilities and fix them promptly.
We will implement strict onboarding and offboarding procedures for third-party software to ensure that security measures are maintained throughout the lifecycle of their usage.
To further reduce potential security risks, we will move third-party hosted services to different domains owned by Gentlent. This will help us maintain better control over our assets and reduce the attack surface.
This experience has been an essential learning opportunity for our team. We believe that raising awareness about cybersecurity vulnerabilities is crucial for the entire community, and we are grateful for the discovery and disclosure of this issue by Koutrouss. His professionalism and expertise have helped improve the security of our platform, and we hope that sharing our story will encourage others to prioritize cybersecurity.
We would like to emphasize that, thanks to Koutrouss Naddara's swift disclosure of the security vulnerability, we were able to take prompt action to address the issue. As a result, no users or sensitive data were affected during this incident. This highlights the importance of responsible disclosure and collaboration between security researchers and companies to ensure the safety of digital platforms. Special thanks to Koutrouss for his tireless efforts to make the internet a safer place.
Tom Klein
Founder & CEO
Gentlent UG (haftungsbeschränkt)
Gentlent
Customer Support
support@gentlent.com