For those who don't know I currently have an automated crawler searching Pastebin for new exploits and vulnerabilities. This crawler reports its results live via the Twitter hashtag #exploitAlert. Every once in a while if something catches my attention, I'll submit it to the software vendor.
For most vendors the process is very straightforward...just send an email or fill out a form. For an example of the right way to allow submissions of security vulnerabilities take a look at Microsoft's method.
Recently a supposed "0 day" vulnerability for Parallels Plesk was found by my crawler (a permanent copy of this paste is available here). I've never worked with Parallels software before, so I went to their website to try and find out where to submit a vulnerability. Finally I found it was an option on their support form.
My jaw dropped when I saw the warning at the bottom of the support form...
Well that certainly puts a stopper on things. I'm not a paying customer...so obviously I won't be able to continue. And what's even worse...if I was a paying customer...I would be CHARGED for submitting a security vulnerability!
Policies such as the one above will only cause frustrated users to post the vulnerability publicly instead of through responsible disclosure.
If anyone from Parallels reads this I would like to encourage you to push for reform of your vulnerability submission practices.