A good lesson for technology providers: if security researchers reach out to you, acknowledge them as quickly as possible, especially when they’ve discovered a critical vulnerability. If you work with them to remediate the issue, you may be able to get a patch out before they feel the need to publish the vulnerability for the greater good – so that those affected are aware of the problem, and can try to mitigate the risk with compensating controls. “Keeping your head down” in these situations and not responding rarely, if ever, results in a positive outcome.
It’s unknown why BPC Banking Technologies did not respond for months to alerts from Rapid7 and the US and Swiss national Computer Emergency Response Teams (CERTs) regarding vulnerabilities in their SmartVista eCommerce software. This certainly does not inspire confidence in their development and cyber security program though.
If your company uses SmartVista, in addition to the advice in the article below, I recommend ensuring that any computer with access to or running the transactions interface of their front-end console (SVFE) is isolated from the Internet and/or any networks it does not need access to, that more than one factor of authentication is required for any console administrator, and that the computer is “locked down” so that whomever is logged in is restricted to “user” access.