Back in March 2016, I did a responsible vulnerability disclosure to Citrix Systems. Citrix’s main website i.e. citrix.com was found to be vulnerable to cross site scripting. The vulnerability details and timelines are provided as below:
Vulnerability Details
The "Search" field associated with citrix.com was vulnerable to cross site scripting. Please refer to the attached screenshot for the vulnerability proof of concept.
Timelines
- March 30, 2016 at 10:00 PM Discovered XSS on citrix.com
- March 31, 2016 at 4:34 AM Reported the XSS to Citrix via secure@citrix.com
- Apr 1, 2016 at 4:49 AM Report Acknowledged by the Citrix’s Security Team
- May 20, 2016 at 5:40 AM Citrix Reported the vulnerability is Fixed
Citrix’s information security team was very diligent. The moment I reported the vulnerability, they were very quick in acknowledging the report and then following up with the relevant team to get the issue fixed. Kudos to the information security team at Citrix !
