Reporting memory corruption to app developers

fid02

Memory tagging on GrapheneOS is reporting an error with the app Amazon Shopping. I cannot find any way to officially report a bug for this app, other than using their Hackerone submission form. Do you think that a memory tagging error counts as a security vulnerability? In other words, is it fair to go the route of using a security vulnerability form for reporting these issues?

other8026

fid02 Personally, I think it wouldn't hurt. Hopefully they understand it's important to fix the memory issue instead of ignoring it even if it doesn't cause unexpected behavior on devices running different OSes.

fid02

I have reported the memory corruption bug to Amazon. I used flawedworld's Spotify report as a template. I'll post their response here.

fid02

Seems it has already been reported.

Reply from Amazon:

Thank you for your report!

Unfortunately, this was submitted previously by another researcher, but we appreciate your work and look forward to additional reports from you.

At this time, we cannot add you to the original report as the report may contain additional information that we cannot share with you. This may include personal information or additional vulnerability information that shouldn't be exposed to other users. Thank you for your understanding.

Have a great day ahead!