I need to report a vulnerability

I need to report a vulnerability in WD MyCloud EX2 devices. Who do I contact?

@subsonic I will PM you.

Hey. Any updates on the status? I know it may take a while, I was just wondering if there’s any feedback.

Hello,

The information provided has been submitted to our security teams for analysis.
Have you a CVE number to share?

I don’t have a CVE number to share. I’m not sure if I should be reporting it for a CVE or letting WD do that and mention me in the credits. I didn’t want to report this for a CVE without coordinating with WD. I believe in responsible disclosure. My concerns are first and foremost responsible disclosure, giving WD ample time to review and fix the issue before I disclose it publicly, followed by my desire to get credit for any related CVE. Please advise on WD’s process for reporting vulnerabilities and assigning CVE’s. Thanks

@subsonic

My Cloud firmware 2.21.126 has been released to the field for the following products.

What’s new!

• Resolved security vulnerability related to remote access.
• Improved My Cloud Cloud connectivity across My Cloud web, mobile & client apps.

My Cloud (Single Bay 2.xx firmware)
Firmware Release 2.21.126 (12/13/2016)
http://download.wdc.com/nas/My_Cloud_GLCR_2.21.126.bin

My Cloud Mirror Gen2
Firmware Release 2.21.126 (12/13/2016)
http://download.wdc.com/nas/My_Cloud_BWVZ_2.21.126.bin