Re: To disclose or not to disclose

["Elazar Broad" <elazar () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would opt for #1, additionally, contacting CERT and other quasi-
government security organizations would be a plus, they might have
better luck lighting a fire under the theoretical vendors ass...

elazar

On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith <simon () snosoft com>
wrote:
> Greetings,
>       I have a theoretical question of ethics for other security
> professionals that participate in this list. This is not an actual
> situation, but it is a potentially realistic situation that I'm
> interested in exploring and finding an acceptable solution to.
>
>       Supposed a penetration testing company delivers a service to a
> customer. That customer uses a technology that was created by a
> third
> party to host a critical component of their infrastructure. The
> penetration testing company identifies several critical flaws in
> the
> technology and notifies the customer, and the vendor.
>
>       One year passes and the vendor had done nothing to fix the issue.
> The
> customer is still vulnerable and they have done nothing to change
> their
> level of risk and exposure. In fact, lets say that the vendor flat
> out
> refuses to do anything about the issue even though they have been
> notified of the problem. Lets also assume that this issue affects
> thousands of customers in the financial and medical industry and
> puts
> them at dire risk.
>
>       What should the security company do?
>
> 1-) Create a formal advisory, contact the vendor and notify them
> of the
> intent to release the advisory in a period of "n" days? If the
> vendor
> refuses to fix the issue does the security company still release
> the
> advisory in "n" days? Is that protecting the customer or putting
> the
> customer at risk? Or does it even change the risk level as their
> risk
> still exists.
>
> 2-) Does the security company collect a list of users of the
> technology
> and notify those users one by one? The process might be very time
> consuming but by doing that the security company might not
> increase the
> risk faced by the users of the technology, will they?
>
> 3-) Does the security company release a low level advisory that
> notifies
> users of the technology to contact the vendor in order to gain
> access to
> the technical details about the issue?
>
> 4-) Does the security company do something else? If so, what is
> the
> appropriate course of action?
>
> 5-) Does the security company do nothing?
>
> I'm very interested to hear what people thin the "responsible"
> action
> would be here. It appears that this is a challenge that will at
> some
> level create risk for the customer. Is it impossible to do this
> without
> creating an unacceptable level of risk?
>
> Looking forward to real responses (and troll responses too...
> especially
> n3td3v).
>
> --
>
> - simon
>
> ----------------------
> http://www.snosoft.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkje3DUACgkQi04xwClgpZgNygP/QqmBS7EsjbZlKzVML7Cyl7oeSWlF
ROUxBygcf6uoXzHK0dOYDeCSltj+OZNOZHT8e2rcHp65XOJEqbZ8kfcU8tjeyVrYSr6k
kcyEzaNg0AijElSu4h2mBmig5c7LVbp8oqpASlTFccmlEDzjWFAo+uH01kDNEe6acM12
X/natz8=
=70tc
-----END PGP SIGNATURE-----

--
Enhance your home's curb appeal with name brand shutters. Click now.
http://tagline.hushmail.com/fc/Ioyw6h4dZrivVCHacmH7slSOQiWoYLmDiE5JIGDw7AHpcvidVlB4EY/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/