Re: Publicly Disclosing A Vulnerability

[phased <phased () mail ru>]

Firstly, html email sucks!
Secondly, I think the situation has no preferable solution from a customer
stand point.

Disclosure

Exposes customers to unprepared risk by mallicious intruders with the knowledge of the vulnerability.  While vendor 
writes a patch, customers are potentially at risk for an undefined period of time.

People who know about it: everyone!
Scenario: Mad rush to write and install patches before system gets compromised
Propogation windows for virii and worms
---------------

Non-Disclosure

Safe only from people who dont know about the vulnerability.

People who know about it, either:

Work for the company
People with agreements on its disclosure
Mallicous intruder that has obtained the information

Scenario: No patch, if an intruder gets hold of the information and starts
compromising systems and or writes a worm, there will be the same mad rush
as the disclosure scenario as people start to possibly notice.

The risk reduction assosciated with non-disclosure is based on the probability
that a mallicious intruder will not obtain the information or discover it
themselves before the patch is released to customers.

However even when the patch is released, there is the same disclosure associated infection/compromisation window before 
customers can install the
patch.  Even automated systems will not be able to deliver it to every customer
instantaneously.

So to summarise, disclosure is chucking the shit @ the fan and non-disclosure is a gamble.  Both cases do not have an 
amazing outcome this is the nature of
vulnerabilities.

However if we look at it from a moral stand point, if the customer has paid
for a peice of software, they deserve to know whats wrong with it.  By reporting bugs you might be increasing the long 
term security of the application, but in the short term you can potentially cause a shit storm.

If you look at it from another point of view, why should you report bugs for
free to a company that is making money from some software.

My brief thoughts on the subject.

-----Original Message-----
From: "Josh Perrymon" <perrymonj () networkarmor com>
To: <full-disclosure () lists grok org uk>
Date: Wed, 5 Oct 2005 09:52:14 -0500
Subject: [Full-disclosure] Publicly Disclosing A Vulnerability

> Ok,
>
>  
>
> I believe in working with the Vendor to inform then of vulnerable
> software upon finding it in the wild so on...
>
> But I have a question...
>
>  
>
> While performing a pen-test for a large company I found a directory
> transversal vulnerability in a search program-
>
> I used Achilles and inserted the DT attack in a hidden field and posted
> it to the web server. This returned the win.ini..
>
> Cool..
>
>  
>
> Well... I called the company up and got the lead engineer on the phone..
> He seemed a little pissed.
>
> He told me that they found the hole internally a couple months ago but
> they don't want it public and they said I should not tell anyone about
> it because they don't want their customers at risk.
>
>  
>
> So I ask the list- what is more beneficial to the customer? Not publicly
> disclosing the risk and hoping that they follow the suggestions of the
> vendor to upgrade?  Or waiting 30 days and send it out?
>
>  
>
>  
>
>  
>
> Joshua Perrymon
>
> Sr. Security Consultant
>
> Network Armor
>
> A Division of Integrated Computer Solutions
>
> perrymonj( at <mailto:perrymonj () networkarmor com>  )networkarmor.com
>
> Cell. 850.345.9186
>
> Office: 850.205.7501 x1104
>
>  
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/