Educause Security Discussion mailing list archives
Re:
From: Alex <alex.everett () UNC EDU>
Date: Wed, 27 Feb 2008 20:12:54 -0500
David: Ethically, it really boils down to what is best for the users of the software. Obviously, it is a simple answer if you notified the vendor and they give you a date. If they resist, I think you have to decide if you believe they are acting in the best interests of their customers. Unfortunately, businesses dont necessarily operate based on the best interests of their customers. However, many do but need time to correct the issue. Hope that helps. You could also consider having someone else pressure them. It might mean more if Verisign, TippingPoint, US-CERT or another entity contacts them. Sincerely, Alex -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Shettler Sent: Wednesday, February 27, 2008 7:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Hey all, I'm a tad biased in this given my affiliations, but... what is the consensus on disclosing vulnerabilities you discover in COTS on your network. My method has been as follows: 1) notifiy the vendor, request them to issue me a timeframe of when THEY would like the vulnerability disclosed publicly 2) if they respond with a timeframe, abide by their request 3) if at all possible, have it be a coordinated disclosure or better yet, a pure vendor disclosure. if the vendor doesn't respond with a timeframe, I re-request one. If it becomes clear to me they won't, I pick the timeframe. if the vendor requests I not disclose (which just happened now for the first time, prompting this email), I get uncomfortable. My theory on the matter is, if there is no public disclosure, then 1) Vendor incentive is lower, and I may or may not receive a patch to fix my organizations problems, 2) IDS/IPS and vulnerability scanning software manufacturers/communities will never know of it, and thus never be able to protect against it, and 3) There are often dozens of other schools, if not thousands, that I know are equally vulnerable -- and I get to deal with some degree of guilt over the unshared knowledge. The counter point is, if I disclose, then everyone and their dog knows about it -- including those who would be malicious with said information. How are others in .edu handling this? Do you go beyond vendor notification? Most vendors I've dealt with happily receive the reports, and are more than willing to issue timeframes and disclose themselves. Recently I've encountered one that is quite the opposite, and they have questioned the ethics behind my methodology. Dave College of the Holy Cross Lead Dev - OSVDB
Attachment:
smime.p7s
Description:
Current thread:
- Re: Alex (Feb 27)