Re:

[Alex <alex.everett () UNC EDU>]

David:

Ethically, it really boils down to what is best for the users of the
software.
Obviously, it is a simple answer if you notified the vendor and they give
you a date.
If they resist, I think you have to decide if you believe they are acting in
the best interests of their customers.
Unfortunately, businesses dont necessarily operate based on the best
interests of their customers. However, many do but need time to correct the
issue.
Hope that helps.
You could also consider having someone else pressure them. It might mean
more if Verisign, TippingPoint, US-CERT or another entity contacts them.

Sincerely,

Alex

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Shettler
Sent: Wednesday, February 27, 2008 7:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY]

Hey all,

I'm a tad biased in this given my affiliations, but... what is the consensus
on disclosing vulnerabilities you discover in COTS on your network.

My method has been as follows:

  1) notifiy the vendor, request them to issue me a timeframe of when THEY
would like the vulnerability disclosed publicly
  2) if they respond with a timeframe, abide by their request
  3) if at all possible, have it be a coordinated disclosure or better yet,
a pure vendor disclosure.

if the vendor doesn't respond with a timeframe, I re-request one.  If it
becomes clear to me they won't, I pick the timeframe.

if the vendor requests I not disclose (which just happened now for the first
time, prompting this email), I get uncomfortable.

My theory on the matter is, if there is no public disclosure, then 1) Vendor
incentive is lower, and I may or may not receive a patch to fix my
organizations problems, 2) IDS/IPS and vulnerability scanning software
manufacturers/communities will never know of it, and thus never be able to
protect against it, and 3) There are often dozens of other schools, if not
thousands, that I know are equally vulnerable -- and I get to deal with some
degree of guilt over the unshared knowledge.

The counter point is, if I disclose, then everyone and their dog knows about
it -- including those who would be malicious with said information.

How are others in .edu handling this?  Do you go beyond vendor notification?

Most vendors I've dealt with happily receive the reports, and are more than
willing to issue timeframes and disclose themselves.  Recently I've
encountered one that is quite the opposite, and they have questioned the
ethics behind my methodology.

Dave
College of the Holy Cross
Lead Dev - OSVDB

Attachment: smime.p7s
Description: