Hi All,
Sam here, from the success team. Thank you everyone for expressing your concerns - feedback like this is how we learn and grow as a company, and we appreciate everyone sharing their thoughts on this subject.
A few notes about how we respond to reports of security vulnerabilities in general:
- We assign a criticality level based on the impact the vulnerability has and what mitigations exist.
- Based on criticality and what it would take to fix the vulnerability, we prioritize & schedule engineering work accordingly.
- It’s really important to note that there are no bonafide reports of security vulnerabilities that we, as a team, don’t care about or intend to ignore. Items on our roadmap that have a lower urgency level are still things that we care about and intend to resolve, just on a longer timeframe than items with a critical urgency level.
In regards to this specific vulnerability report:
- The most important factor that went into assessing this vulnerability as low impact is the fact that it does not allow an attacker to gain access to data that they shouldn’t otherwise be able to see.
- We have mitigation plans in place that would allow us to temporarily give more file storage for free to a user who is legitimately affected, while running scripts on the backend to delete malicious data, as well as blocking suspicious uploads.
- We have various capabilities to deter various forms of DDoS attacks such as one that would take advantage of this vulnerability. We don’t disclose the details of those capabilities publicly to make it harder for attackers to work around them.
- Resolving this particular vulnerability is going to require user-facing feature changes, because the concept that “anonymous visitors to your app can upload files” is part of the required functionality of some people’s apps. So part of the delay here was that in order to fix it well – and not impact our users with multiple changes in a row or half-baked features – we wanted some time to plan out what those user-facing features would entail.
- None of the above 4 points are intended to imply that we don’t view this as a problem and that we don’t want to fix it. They just mean that we at Bubble view this as a “low,” rather than a “high” or “critical” vulnerability.
Specifically as it relates to security issues, we would like to generally discourage these types of posts. There is nothing productive to be gained from publicizing any security concern outside of a responsible disclosure process, which in our case involves using our bug report form and working with our support team. It only serves to make potential bad actors aware that a particular vulnerability exists, thus needlessly increasing the potential impact on millions of active Bubblers.
That said, we hear the user response here, and we understand that some of you view this issue with a higher level of urgency than we initially assessed as a team. Our engineering team is looking into ways that we can resolve this behavior sooner rather than later. While we don’t have an exact timeframe at this time, I’ll be sure to keep this thread updated.