Full Disclosure mailing list archives
Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities
From: yossarian <yossarian () planet nl>
Date: Sat, 09 Oct 2004 02:16:03 +0200
----- Original Message ----- From: "Pavel Kankovsky" <peak () argo troja mff cuni cz> To: <full-disclosure () lists netsys com> Sent: Saturday, October 09, 2004 12:11 AM Subject: Re: [Full-disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities > 0. ("The primordial sin") The vulnerable product is released and all<BR> > information about the vulnerability is made available *by the vendor<BR> > itself* to anyone with enough competence, free resources, motivation,<BR> > and a copy of the product.<BR> > <BR> > This is conditio sine qua non. The rest of the story is nothing but<BR> > deobfuscation of that information.<BR> Classic - If this does not happen, all the rest must wait. Time and again it has been proved that vendors do not all fix. They have several options: 1. Call it a feature (DSO) 2. Bury it deep in a manual (no it is no disclosure look in manual pt 17, page 2711 third alinea.... (ControlSA default Crypto keys) and let the consultants in the field admit it. 3. Sue the b4stard that disclosed it. 4. Just ignore the disclosure (Compaq Insight Manager before HP) 5. Wait and see since so many products, so little research, no one will notice (Dell OpenManage) 6. Buy the people that disclose ... (well let's just not mention any names in this case) One thing that sometimes works (i have said it here before and have recently succesfully used it - rotten product not chosen by major customer - a big bank): Security Responsiveness Profiling. I.e if your are working for a hired by a possible customer of say product ladidah, in the product selection process, make it big item. Vendor Zippedidoo has never responded to postings about security defects, does not have a proces for reporting vulns, either they make flawless code, but since Zippedidoo Inc employs programmers and other people it is highly unlikely, or they bury it. We grade it a D minus. (since nothing has ever been posted). Vendor Yottum S.p.a. has a visible process for notification of defects you can actually find on their website - but nothing has ever been disclosed, grade it a B (either the product has failed scrutiny - bad sign - or no one uses it - worse. Vendor Memsahib Ltd has a visible process, some defects have been posted including 0day, and got fixed some time later - we graded it an A minus and it got selected. We explained in writing to Zippedidoo and Yottum how they failed. It hurt. The examples i used are mostly old, haven't recently checked. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Disclosure policy in Re: RealPlayer vulnerabilities Drew Copley (Oct 07)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities Martin Viktora (Oct 08)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities dave (Oct 08)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities Pavel Kankovsky (Oct 08)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities yossarian (Oct 08)
- <Possible follow-ups>
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities Jason Coombs PivX Solutions (Oct 07)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities Martin Viktora (Oct 08)