Full Disclosure mailing list archives
Re: How to Report a Security Vulnerability to Microsoft
From: Steve Friedl <steve () unixwiz net>
Date: Wed, 13 Apr 2005 10:23:48 -0700
On Wed, Apr 13, 2005 at 01:01:19PM -0400, bkfsec wrote:
I agree with you. I wasn't implying that people shouldn't work with MSFT on disclosures, rather that their attitude had not changed nearly as much as some people seem to think it has.
Microsoft has interests that are not entirely in line with their users, and certainly not even mostly in line with security researchers, so it's no surprise that these come into conflict, sometimes painfully.
There's also a big difference between should and must. Security researchers should work with vendors to get solutions out responsibly, including Microsoft, but they should not be restricted from publishing their findings if a vendor just wants to sweep things under a rug.
I guess I'm not sure what you mean by this. If you mean that a vendor is blowing somebody off (not replying, "we don't think it's an issue", etc.), then I don't have any trouble burning them: "Not a bug? Oh yah?" When I got totally blown off by Standard & Poors a coupla years ago, the only thing that got them off their asses was full, embarrassing disclosure. http://www.securityfocus.com/guest/2137 I'd do the same thing today given the same circumstances. But if the vendor does get out a patch (even if not timely), releasing the full details of the vuln on the same day *does* put users at risk, so we're left with a balance between user interests and researcher interests. My personal resolution: write two advisories. The first one is released with the patch, but it doesn't contain a roadmap for how to create an exploit. This gives the researcher the credit for the initial discovery. The second advisory has all the details, and I'd hold it until either some time period (90 days?) or until an active exploit was circulating. This lets me publish the technical details sooner or later but at least gives a head-fake to "caring about the users". And I'm not sure this is entirely a supportable position: if I find some vuln, I assume others have it too and are actively - but privately - using it, so my withholding the details might not make any meaningful difference in actually helping the users. But - for me - the perception of caring -vs- not caring about the users is enough to get me to hold off. Others clearly resolve this differently. Steve -- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve () unixwiz net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: How to Report a Security VulnerabilitytoMicrosoft, (continued)
- Re: How to Report a Security VulnerabilitytoMicrosoft Georgi Guninski (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft mcbain (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft dk (Apr 12)
- Re: How to Report a Security VulnerabilitytoMicrosoft bkfsec (Apr 13)
- Re: How to Report a Security VulnerabilitytoMicrosoft bkfsec (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Steve Friedl (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Georgi Guninski (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Steve Friedl (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Danny (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft bkfsec (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Steve Friedl (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft bkfsec (Apr 13)
- Re: How to Report a Security Vulnerability to Microsoft Steve Friedl (Apr 13)
- Re: How to Report a Security VulnerabilitytoMicrosoft dk (Apr 19)
- Re: How to Report a Security VulnerabilitytoMicrosoft Georgi Guninski (Apr 19)