A recent vulnerability I found

I was in a bug-fuzzing session as usual and found this one in a system from Mat Bao. For readers unfamiliar with them, Mat Bao is a major domain registrar and cloud hosting provider in Vietnam. They also operate across several other areas and offer a wide range of services.

The vulnerability lies in one of their systems. It allows unauthorized data access.

Timeline:

• 28/04/2026: Fooling around with their system. Realized something was odd. I thought it might be possible to gain access to a large portion of data. Left it there for some other work.
• 01/05/2026: It was not until this day that I could come back to it. Did some hands-on testing to verify that the attack I imagined actually worked. I was able to confirm that I could gain access to highly sensitive data. I will not disclose what kind of data it was or which subsystem it belonged to. I ethically stopped as soon as I gained access to a single data record.
• 02/05/2026: I sent them an email saying there was such a flaw in their system and asked whether they were interested at all.
• 05/05/2026: (There were a few public holidays prior to this.) They told me they wanted to hear more and asked for details such as reproduction steps. I sent them a description of the flaw and a PoC on the same day, along with the impact and the scope I had tested. I let them continue with any further impact and scope analysis.
• 06/05/2026: The team confirmed that this was a high-severity vulnerability and that they would start remediating it.

This is one of the very exceptional cases where I mess around with a Vietnamese (my homeland) company (read the sections below for why). I’m quite pleased with the way the team reacted to the problem. They acted with urgency, professionalism, and transparency. No system is flawless. The way a company handles a problem, whether it is a purely technical issue or a service issue, says a lot about whether they are trustworthy. Mat Bao showed themselves to be a company I could trust with my data.

One thing worth noting, however, is that I could not find any reporting guidelines beforehand. When sending the report, I genuinely did not know what to expect. This is exactly the kind of situation that VDPs are meant for.

What is a VDP and Why does your company need one?

A VDP (Vulnerability Disclosure Program/Policy) is a public guideline stating that security researchers are allowed to examine your systems and explaining how they can report issues. Simply put, it’s a way to say: “Hey neighbor, if you think I forgot to close my door, you can come closer, check, and let me know.”

There are several types of VDPs. You can even tailor the program to suit your company, but the ultimate goal is still the same: encourage good people to test the system and report vulnerabilities early before they fall into the wrong hands.

A VDP allows you to leverage the massive pool of security experts out there who are willing to help for free.

A nice side effect of a VDP is that it shows how serious you are about cybersecurity and data protection. If your company operates in high-risk industries like fintech, banking, healthcare, cloud computing, telecommunications, etc., then you probably already know that, apart from development work, massive effort also goes into building reputation and trust with clients and customers. It falls into the same category as making your processes and systems meet compliance requirements. A VDP gives the impression of willingness, as opposed to being forced to do something. Having a VDP is a competitive advantage to some extent.

A common misconception is: “My system has never been visited by an (un)ethical hacker. Why should I have a VDP?” Well, perhaps the fact that you do not have one discouraged the ethical ones in the first place. And even worse, you may already have been unknowingly exploited.

Some examples:

• Yahoo realized they had a data breach three years later.
• The Cloud Hopper Campaign involved intruders living inside victim systems unnoticed for years.
• First American Financial Corporation suffered a breach they did not detect for weeks.

And if you are a Vietnamese citizen, you may have heard about the Vietnam CIC data breach back in September 2025. This may not be the best example of unnoticed exploitation, since their alert systems did detect abnormal behavior and there was no public information about how long the intrusion lasted, but it still shows how bad things can get when vulnerabilities are discovered too late. The worst time to find out you have a vulnerability is after it has already been exploited.

As a company, you may or may not care deeply about security. But if you do care, and if you welcome help, show some sign that you do.

VDP adoption: the world, the US, and Vietnam

While more and more companies are adopting VDPs, adoption is still far from universal globally. In other words, you still cannot automatically expect a company to have a VDP most of the time.

If we talk about a major tech market like the US, here are some reports you can refer to:

• Global Growth Insights report
• Rapid7 report

Note that these statistics were conducted in different years and on different sample sets. We also should not blindly trust those parties. However, they still give a rough feel for the situation. I think we can loosely say that around half of US tech companies have some form of VDP.

There does not seem to be any public report specifically for Vietnam. However, according to this Vietnam News article, “only 11 per cent of Vietnamese enterprises and organisations are adequately prepared to respond to cybersecurity incidents.” Of course, it would be unfair to directly compare this number with the “50%” estimate in the US, since the Vietnamese sample likely includes many non-tech organizations as well, but it still gives some indication.

According to my own intuition, apart from a few systems owned by the government and a handful of major companies like VNG and Viettel, there are very few Vietnamese tech organizations with a public VDP. So if I had to guess, the percentage is probably far lower than in the US.

Companies such as banks may operate private bug bounty programs instead. However, bug bounty programs and VDPs are not mutually exclusive.

This is not a complaint. This is merely informational. It is understandable that companies in different countries have different priorities and problems to solve. US tech companies can be seen as a baseline that many other companies look up to when it comes to VDP adoption in particular, and security posture in general.

---

Vulnerabilities do not disappear simply because nobody talks about them. You either find them early, or suffer later.