Re: Complicated Disclosure Scenario

[Dan <sfml () sneakernetsecurity com>]

> From the SecurityFocus info on Vuln-Dev:

  There are many forums for reporting security bugs and distributing 
  vulnerability code or examples. A prime example of such a forum is 
  the BUGTRAQ mailing-list. However, nearly all of these forums exist 
  mostly for the dissemination of fully-researched reports, and they 
  leave little room for discussion. In addition, many bugs are 
  spotted not written-up, due to lack of interest, time, or expertise.

  The VULN-DEV list exists to allow people to report potential or 
  undeveloped holes. The idea is to help people who lack expertise, 
  time, or information about how to research a hole do so.

  The VULN-DEV list is dedicated to the concept of full disclosure. 
  We believe that release of exploit code serves the security 
  community overall. Since the list is dedicated to interactively 
  researching vulnerabilities, there will there will generally NOT be 
  an opportunity to warn software vendors or authors. In many cases it 
  will not be clear that there is a problem until the exploit or 
  description is finalized, at which point all list subscribers will 
  know. It is very appropriate to notify vendors or authors as soon as 
  it is clear there is a problem.


You've notified the company and done your part.  You may want to 
inform them that you don't have the resources to explore further
so you will post it to vuln-dev by such and such a time to be 
explored further.  I wouldn't post it as an advisory cause that 
may attract more attention.  I'd just say hey look what I found,
what can you do with it?


Dan


> I would like to gather some opinions on a not so theoretical disclosure
> scenario. Please for the sake of focused discussion keep your replies
> related to the specific scenario that I am proposing and not alternate
> opinions on disclosure in general.

<snip>

> At this point I contacted the vendor to alert them to the existence of
> this problem. 

<snip>

> I informed this vendor, who is by no means short on resources, that I
> might not be able to successfully make that determination due to
> constraints on my time (after all I do this for fun) and ability, as
> this problem exists on an architecture that I have very little
> experience with. 
>
> I encouraged the vendor to begin their own investigation. They ignored
> this, and again stated that they would await my results.
>
> This is the problem as it sits. If I reach out to "the community" for
> additional assistance with researching this bug I might as well just send
> out an advisory. If I release an advisory the vendor will most likely
> not have a patch ready, they will feel violated and the user base will
> be left open to exploitation with no fix. If I do nothing, the problem
> persists and nothing gets accomplished, and maybe someone with not so
> good intentions discovers the same bug and uses it to do harm.
>
> So, what would you do?