Firewall Wizards mailing list archives
Re: Decision
From: Paul Robertson <proberts () patriot net>
Date: Thu, 5 Jun 2003 10:09:05 -0400 (EDT)
On Thu, 5 Jun 2003, Peteris Krumins wrote:
Hello fw wizards! I have run into a hard decision - i just dicovered a bug in <someserver> which <some large company> runs and is only accessible to the clients of <the company> - it's an auth server, somewhere tied together with Cisco router w/ SSG and RADIUS authentication. Due to bug, any source file can be read and the <the company> has spent thousands of $ for making the system. Whats the best - report the bug and possible workarounds or let it stay? What i am nervous of is that the <the company> could 'kick' me later for seeing the sources.
You have several choices: !. Contact the company and fully explain the situation, and hope they don't remove you. 2. Contact the company anonymously, and explain the situation and hope they don't try too hard to get past your anonymity. 3. Use a trusted 3rd party to contact the company, and hope they don't decide to try to get past your anonymity (I'd be happy to mediate if you choose this path, we do this quite frequently at TruSecure and ISCA Labs.) Just note that contact information is subject to discovery motions should the company decide that a law has been broken. We've yet to have anyone do this, but it's worth keeping in mind. If something happens via the bug, and your activities were logged, then the chances are that you'll be blamed, that and basic ethics should mean that not reporting the issue is a non-starter. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Decision Peteris Krumins (Jun 05)
- Re: Decision Paul Robertson (Jun 05)
- Re: Decision M. Dodge Mumford (Jun 05)