RE: Question About Ethics and Full Disclosure

["Syste Op" <sysop5 () hotmail com>]

That's a good way of doing it. I think it would be better to shorten the 
period of time from 1-9 months to 1-5. When you're reporting a 
vulnerability, you should try and report the fix for it too. In my opinion, 
exploit code should be posted a few weeks after the vulnerability has been 
reported to ensure that the company works on a fix.
-OptiKal Mouse

> From: "Joe Klein" <jsklein () mindspring com>
> Reply-To: <jsklein () mindspring com>
> To: "'Kevin E. Casey'" <kcasey () nanoweb com>,<tommy () providesecurity com>, 
> <frogman () infosecwar net>
> CC: <bugtraq () securityfocus com>, 
> <security-basics () securityfocus com>,<vuln-dev () securityfocus com>, 
> <webappsec () securityfocus com>
> Subject: RE: Question About Ethics and Full Disclosure
> Date: Wed, 9 Jun 2004 08:11:48 -0500
> MIME-Version: 1.0
> Received: from outgoing2.securityfocus.com ([205.206.231.26]) by 
> mc6-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 9 Jun 2004 
> 17:14:24 -0700
> Received: from lists2.securityfocus.com (lists2.securityfocus.com 
> [205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid 
> 60A49143AF0; Wed,  9 Jun 2004 20:17:34 -0600 (MDT)
> Received: (qmail 25671 invoked from network); 9 Jun 2004 07:00:52 -0000
> X-Message-Info: JGTYoYF78jGL48EpGnia7jun7YIUh0SR
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Message-ID: <003f01c44e23$53e36590$6401a8c0@nsaifly>
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook, Build 10.0.2627
> In-Reply-To: 
> <96B5E0E83D6A07428B6CDB8775AB9FBA277007 () domain01 nanonaples com>
> X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> Return-Path: bugtraq-return-14677-sysop5=hotmail.com () securityfocus com
> X-OriginalArrivalTime: 10 Jun 2004 00:14:24.0217 (UTC) 
> FILETIME=[E290CC90:01C44E7F]
>
> Below is an outline for my disclosure process.
>
>
> Vulnerability Found:
>
> 1. E-Mail & Call company about finding
>         - Document vulnerability
>         - Document date/time/who you talked to.
>         - Provide an 'ethical disclosure' reporting deadline
>                 - one to nine months, depending on the vulnerability
>         - Inform them you will be reporting them to www.cert.org and
> www.us-cert.gov
>
> 2. Report Vulnerability to:
>         A. www.cert.org :
> http://www.cert.org/reporting/vulnerability_form.txt
>         B. www.us-cert.gov : cert () cert org
>
> ----
> Vulnerability is addressed - day upgrade/patch is released
>
> 1. Disclose to your favorite list/lists
>         - Disclose your process
>         - Disclose your due diligence
>                 - communication to/from company
>                 - posting to cert.org and us-cert.gov
>         - Disclose the vulnerability
>
> ----
> Vulnerability not addressed - one to nine months
>
> 1. E-Mail & Call company
>         - Documentation of vulnerability
>         - Documentation of your due diligence
>                 - reporting communication to/from company
>                 - reporting to cert.org and us-cert.gov
>         - Provide date of disclosure
>
> Day of Disclosure:
>
> 1. Disclose to your favorite list/lists
>         - Disclose your process
>         - Disclose your due diligence
>                 - communication to/from company
>                 - posting to cert.org and us-cert.gov
>         - Disclose the vulnerability
>
>
> Opinions?
>
>
>
> -----Original Message-----
> From: Kevin E. Casey [mailto:kcasey () nanoweb com]
> Sent: Thursday, May 20, 2004 4:31 PM
> To: tommy () providesecurity com; frogman () infosecwar net
> Cc: bugtraq () securityfocus com; security-basics () securityfocus com;
> vuln-dev () securityfocus com; webappsec () securityfocus com
> Subject: RE: Question About Ethics and Full Disclosure
>
>
> Try calling the sales department for the shopping cart vendor.  Tell
> them you hard about the 2 vulnerabilities, thll them that when they are
> fixed, you might perhaps buy their product...  Sales motivates
> development... Or at the least might get you to a person at the vendor
> who cares.
>
> -----Original Message-----
> From: Tom [mailto:tommy () providesecurity com]
> Sent: Thursday, May 20, 2004 3:43 PM
> To: frogman () infosecwar net
> Cc: bugtraq () securityfocus com; security-basics () securityfocus com;
> vuln-dev () securityfocus com; webappsec () securityfocus com
> Subject: Question About Ethics and Full Disclosure
>
>
> I have sat on 2 vulnerabilities for a shopping cart for over a year and
> nothing has changed.  Now I have found a 3rd with new services added to
> this shopping cart.
>
> I have emailed support several times but NEVER get a response. As a
> security professional and not to be Unethical what would be a
> recommended path to follow?
>
> * Notify their customers (several 100)
> * Notify the Payment Gateways they are Authorized to use (VeriSign,
> PayPal, Authorize.NET)
> * Be a total A** and just release it to all the mailing lists and at
> DEFCON
>
> BTW...I have sent several emails to various parts of VeriSign and NOBODY
> has responded as to the proper person to notify within the organization
> about this. I chose VeriSign because this cart is at the Top of Their
> List!
>
> IF anyone knows who to contact from VeriSign, authorize.net and PayPal
> about this please email me directly.
>
> Thanks,
>
> Tom Ryan
> << JosephSKlein(jsklein () mindspring com)(jsklein () mindspring com).vcf >>

_________________________________________________________________
Get fast, reliable Internet access with MSN 9 Dial-up – now 3 months FREE! 
http://join.msn.click-url.com/go/onm00200361ave/direct/01/