Re: Decision

[Paul Robertson <proberts () patriot net>]

On Thu, 5 Jun 2003, Peteris Krumins wrote:

> Hello fw wizards!
>
>  I have run into a hard decision - i just dicovered a bug in
>  <someserver> which <some large company> runs and is only
>  accessible to the clients of <the company> - it's an auth
>  server, somewhere tied together with Cisco router w/ SSG and
>  RADIUS authentication.
>
>  Due to bug, any source file can be read and the <the company> has spent
>  thousands of $ for making the system.
>
>  Whats the best - report the bug and possible workarounds or let it
>  stay?
>  What i am nervous of is that the <the company> could 'kick' me later
>  for seeing the sources.

You have several choices:

!. Contact the company and fully explain the situation, and hope they 
don't remove you.

2.  Contact the company anonymously, and explain the situation and hope 
they don't try too hard to get past your anonymity.

3.  Use a trusted 3rd party to contact the company, and hope they don't 
decide to try to get past your anonymity (I'd be happy to mediate if you 
choose this path, we do this quite frequently at TruSecure and ISCA Labs.)  
Just note that contact information is subject to discovery motions should 
the company decide that a law has been broken.  We've yet to have anyone 
do this, but it's worth keeping in mind.

If something happens via the bug, and your activities were logged, then 
the chances are that you'll be blamed, that and basic ethics should mean 
that not reporting the issue is a non-starter.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards