Full Disclosure mailing list archives
RE: Publicly Disclosing A Vulnerability
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 5 Oct 2005 13:46:49 -0400
________________________________ Subject: RE: [Full-disclosure] Publicly Disclosing A Vulnerability
So I ask the list- what is more beneficial to the customer? Not publicly
disclosing the
risk and hoping that they follow the suggestions of the vendor to upgrade?
Or waiting
30 days and send it out?
Your customers need to be your main concern, since they literally own this process. Piss them off by disclosing a vulnerability that they have and cannot fix, and you can bet that it'll be the last time you do business with them. Might wanna check your paperwork, too - you may hold some liability to them if you disclose this vulnerability. Of course, if you have multiple customers that are using the vulnerable product, your life is even more complicated. You may choose to discreetly inform them that a vulnerability has been discovered and that they should consider upgrading. That is an ethical and responsible course of action, but it may violate your other customer's trust. Hence, discretion. Once your customers are taken care of, you can look at responsible disclosure avenues. But I would implore that as long as the vendor commits to releasing a patch or notifying their customers that you don't do something to sabotage their efforts like releasing an exploit or even a detailed advisory before they've had a chance to handle it. Which reminds me, if the currently undisclosed nature of this vulnerability is allowing your customers to consider not acting, then you need to press harder. My experience has taught me that responsible vulnerability disclosure is a thankless job. Customers are confused, vendors are angry, and more often than not, there is no glory for you as someone else will discover and disclose the same vulnerability before you're done handling it the correct way. PaulM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Publicly Disclosing A Vulnerability Josh Perrymon (Oct 05)
- Re: Publicly Disclosing A Vulnerability xyberpix (Oct 05)
- Re: Publicly Disclosing A Vulnerability c0ntex (Oct 05)
- Re: Publicly Disclosing A Vulnerability phased (Oct 05)
- Re: Publicly Disclosing A Vulnerability Steve Friedl (Oct 05)
- Re: Publicly Disclosing A Vulnerability Valdis . Kletnieks (Oct 05)
- Re: Publicly Disclosing A Vulnerability Donald J. Ankney (Oct 05)
- Re: Publicly Disclosing A Vulnerability Simon Richter (Oct 05)
- Re: Publicly Disclosing A Vulnerability Martijn Lievaart (Oct 05)
- RE: Publicly Disclosing A Vulnerability Paul Melson (Oct 05)
- RE: Publicly Disclosing A Vulnerability Adriel Desautels (Oct 05)
- <Possible follow-ups>
- RE: Publicly Disclosing A Vulnerability Todd Towles (Oct 05)
- Re: Publicly Disclosing A Vulnerability FX (Oct 05)
- RE: Publicly Disclosing A Vulnerability Josh Perrymon (Oct 05)