Question 11
IIIA researcher discovers that a widely used chatbot can be prompted to reveal other users’ personal data. What is the first step consistent with responsible disclosure practices?
Correct answer: B
Explanation
Responsible disclosure requires reporting the vulnerability privately to the vendor or security contact first, not publicizing it immediately. This gives the vendor “enough detail to reproduce the issue” and “allowing reasonable time for remediation before public disclosure,” which reduces harm to affected users.
Why each option is right or wrong
A. Immediately posting full exploit details on social media.
Public disclosure comes after vendor notification and a reasonable remediation window.
B. Privately notifying the vendor or appropriate security contact with enough detail to reproduce the issue and allowing reasonable time for remediation before public disclosure.
The proper first move is to report the issue privately to the vendor or designated security contact, because responsible disclosure norms require giving the operator enough technical detail to reproduce the leakage and a reasonable remediation window before any public release. In practice, that means withholding public disclosure until the vendor has had time to investigate and patch the flaw, rather than broadcasting a prompt that exposes other users’ personal data and increases harm.
C. Selling the vulnerability on an underground market.
Vulnerabilities should be reported responsibly, not monetized through illicit markets.
D. Ignoring the issue because the researcher is not personally affected.
Security issues should be reported even when the researcher is not personally impacted.