Full Disclosure mailing list archives
Re: Question about ethics when discovering a security fault in system
From: Jeremy Bishop <requiem () praetor org>
Date: Thu, 27 Oct 2005 11:51:09 -0700
On Thursday 27 October 2005 11:28, Torbjörn Samuelsson wrote:
Hi I stumbled upon a security fault (discovered it by mistake) this Sunday in a perimeter security device. The day after I contacted the manufacturer and informed them about it and later that evening the acknowledged the problem and they where able to reproduce it.
This sounds like a decent response time. Was it a "we looked into this and it seems you are correct" response that you received, or something closer to "yeah, we already know about that and don't really care"?
My question is what is good ethics for me to continue with this?
What I want a resolution so the device we bought to provide us with remote access and security shall work securely and that the company
So, you are also a customer? This gives you excellent grounds for asking how the company plans to correct this flaw. Since it seems their initial response was both prompt and favorable, it's likely that some sort of update will be made available. Your responsibility is to find a way to mitigate the current risk to your company until a fix is in place. This usually includes allowing some time for the company to produce such a fix. Going immediately public with the flaw is less than polite to the company, and will also jeopardize your own company. (I.e. People will now not only about the flaw, but about someone who is vulnerable to it: you.)
shall inform other owner of there products about the problem so they wont have the same security breach.
It is possible that the company may do this on their own. You don't have a responsibility to their other customers, only a more generalized responsibility to the community. Custom on this list is that the vulnerability is revealed after a reasonable time. "Reasonable" is a balance between allowing the vendor to produce a fix (so that when the problem is announced, people aren't needlessly exposed) and alerting the community to a problem (because it's likely someone else already knows about the problem, and is exploiting it). Jeremy -- ...would you work for a company that couldn't tell the difference in quality of its employees' normal work product and the work product of someone on drugs without performing a test? -- socks _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Question about ethics when discovering a security fault in system Torbjörn Samuelsson (Oct 27)
- Re: Question about ethics when discovering a security fault in system Jeremy Bishop (Oct 27)
- Re: Question about ethics when discovering a security fault in system Michael Holstein (Oct 27)
- Re: Question about ethics when discovering a securityfault in system Morning Wood (Oct 27)