Security Basics mailing list archives
Re: Ethics Question
From: "Anders Reed-Mohn" <anders_rm () utepils com>
Date: Mon, 1 Sep 2003 11:58:28 +0200
Mike, it shouldn't really be a problem for you to alert Company Y about this. (However, it is now). 1. (Why it shouldn't be a problem) You knew of this vulnerability in advance. You aquired that knowledge as part of your job, and noone can hold you liable for that. This means you could easily have told Company Y: "have you checked with Company X whether this thing has been fixed?", based on your old knowledge. But you can _not_ tell them that you know it still hasn't been fixed. 2. (Why it is a problem _now_) You have no right to know any more. The fact that you _know_ it still hasn't been fixed shows that you have poked your nose into where it doesn't belong. And, as someone pointed out, it is now even on record for the entire Internet to see. Thus, you have lost your chance to alert anyone. So, next time, don't tell the public what you did, rather go to the concerned parties directly. Cheers, Anders :) --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Re: Ethics Question Anders Reed-Mohn (Sep 02)