Full Disclosure mailing list archives
Re: To disclose or not to disclose
From: AaRoNg11 <aarong11 () gmail com>
Date: Sat, 27 Sep 2008 22:07:56 +0100
Well, if you've already warned your client that their software is vulnerable and they haven't changed to an alternative, then it's fine to release an advisory with all of the details. I really don't understand why they'd pay for a penetration test to not take action if their software was vulnerable. If the vendor is extremely unresponsive to any information, it may be the case that releasing the technical details to the public are the only way to get them to take notice. Just think, you might not be the only person who has found out about the exploit. There might be some black hat hacker somewhere using it to meet their own ends. Some vendors are just like that though; they refuse to do anything until it's too late. Maybe they'll start taking notice of bug reports after this happening a few times and losing half of their clients. On Sat, Sep 27, 2008 at 6:25 PM, Simon Smith <simon () snosoft com> wrote:
Great replies guys!
So lets take this a step further. Lets suppose (again just theory)
that
the security company did notify the software vendor and did tell the
vendor where the security issues were in their technology, how to
exploit the issues, provided a proof of concept, and provided clear and
actionable methods for remediation. Lets then say that the software
vendor flat out, point blank, rejected that information and refused to
implement any fixes.
Just to make this more interesting, lets say that this all happened
over one year ago. Lets also say that the customer who was being tested
by the security company and that is using the vulnerable software has
yet to address the vulnerability in their own network too.
Is it the ethical duity of the security company to release an
advisory?
Does that advisory put the customer at risk? It is clearly unethical to
do nothing and to leave everyone else at risk. How to proceed?
--
- simon
----------------------
http://www.snosoft.com
-- Aaron Goulden
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- To disclose or not to disclose Simon Smith (Sep 26)
- Message not available
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Re: To disclose or not to disclose Simon Smith (Sep 27)
- Re: To disclose or not to disclose . (Sep 27)
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Message not available
- Re: To disclose or not to disclose Pavel Kankovsky (Sep 28)
- Re: To disclose or not to disclose M . B . Jr . (Sep 28)
- Re: To disclose or not to disclose Tonnerre Lombard (Sep 28)
- <Possible follow-ups>
- Re: To disclose or not to disclose Elazar Broad (Sep 27)
- Re: To disclose or not to disclose Simon Smith (Sep 27)
- Re: To disclose or not to disclose Elazar Broad (Sep 28)