Tesla, who we know with his electric cars, awarded a $ 10,000 prize to the person who found a vulnerability in Microsoft SQL Server Reporting Services. The person who found the vulnerability received help from someone who previously shared this vulnerability.
US electric car maker Tesla has paid quite a small amount for the company due to a vulnerability in Microsoft SQL Server Reporting Services (SRSS) recently. The payment was transferred to the person who discovered the vulnerability.
SRSS received an update just five days before the vulnerability we were talking about appeared. The resulting vulnerability allowed remote code editing as a result of a server error. The error discovered by the German bug hunter “parzel” showed up on the server for Tesla’s partners.
The vulnerability in SRSS was previously shared by someone else:
The vulnerability, called CVE-2020-0618, received an update on February 14. German hunter parzel shared the vulnerability he discovered four days after this update through the security platform Bugcrowd. parzel discovered this gap by browsing Tesla’s domains.
After discovering this vulnerability, the bug catcher removed some strings that could be used as fingerprints from the source code. He then checked that these strings match Tesla’s domains. Tesla responded to parzel’s statement by acknowledging the vulnerability and rewarding him with $ 10,000. Tesla took the faulty SQL service offline with the vulnerability emerging.
MDSec researcher Soroush Dalili had previously reported the vulnerability CVE-2020-0618 to Microsoft. Dalili also shared how he could exploit this vulnerability by sharing some technical details about this vulnerability on February 11, three days after Microsoft’s update.
Reports published by the MDSec researcher were very useful for parzel and helped Tesla find this vulnerability on its server. He also thanked him for the report shared by Dalili in a post he made on Twitter.
Tesla, who got rid of the vulnerability, can actually say that the company has given the parzel a little low reward considering its size. However, considering the difficulty in finding this deficit and the details that have been shared before, we can say that the amount of reward is sufficient.