Full Disclosure mailing list archives
Re: To disclose or not to disclose
From: "Elazar Broad" <elazar () hushmail com>
Date: Sun, 28 Sep 2008 01:21:56 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would opt for #1, additionally, contacting CERT and other quasi- government security organizations would be a plus, they might have better luck lighting a fire under the theoretical vendors ass... elazar On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith <simon () snosoft com> wrote:
Greetings, I have a theoretical question of ethics for other security professionals that participate in this list. This is not an actual situation, but it is a potentially realistic situation that I'm interested in exploring and finding an acceptable solution to. Supposed a penetration testing company delivers a service to a customer. That customer uses a technology that was created by a third party to host a critical component of their infrastructure. The penetration testing company identifies several critical flaws in the technology and notifies the customer, and the vendor. One year passes and the vendor had done nothing to fix the issue. The customer is still vulnerable and they have done nothing to change their level of risk and exposure. In fact, lets say that the vendor flat out refuses to do anything about the issue even though they have been notified of the problem. Lets also assume that this issue affects thousands of customers in the financial and medical industry and puts them at dire risk. What should the security company do? 1-) Create a formal advisory, contact the vendor and notify them of the intent to release the advisory in a period of "n" days? If the vendor refuses to fix the issue does the security company still release the advisory in "n" days? Is that protecting the customer or putting the customer at risk? Or does it even change the risk level as their risk still exists. 2-) Does the security company collect a list of users of the technology and notify those users one by one? The process might be very time consuming but by doing that the security company might not increase the risk faced by the users of the technology, will they? 3-) Does the security company release a low level advisory that notifies users of the technology to contact the vendor in order to gain access to the technical details about the issue? 4-) Does the security company do something else? If so, what is the appropriate course of action? 5-) Does the security company do nothing? I'm very interested to hear what people thin the "responsible" action would be here. It appears that this is a challenge that will at some level create risk for the customer. Is it impossible to do this without creating an unacceptable level of risk? Looking forward to real responses (and troll responses too... especially n3td3v). -- - simon ---------------------- http://www.snosoft.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkje3DUACgkQi04xwClgpZgNygP/QqmBS7EsjbZlKzVML7Cyl7oeSWlF ROUxBygcf6uoXzHK0dOYDeCSltj+OZNOZHT8e2rcHp65XOJEqbZ8kfcU8tjeyVrYSr6k kcyEzaNg0AijElSu4h2mBmig5c7LVbp8oqpASlTFccmlEDzjWFAo+uH01kDNEe6acM12 X/natz8= =70tc -----END PGP SIGNATURE----- -- Enhance your home's curb appeal with name brand shutters. Click now. http://tagline.hushmail.com/fc/Ioyw6h4dZrivVCHacmH7slSOQiWoYLmDiE5JIGDw7AHpcvidVlB4EY/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- To disclose or not to disclose Simon Smith (Sep 26)
- Message not available
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Re: To disclose or not to disclose Simon Smith (Sep 27)
- Re: To disclose or not to disclose . (Sep 27)
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Message not available
- Re: To disclose or not to disclose Pavel Kankovsky (Sep 28)
- Re: To disclose or not to disclose M . B . Jr . (Sep 28)
- Re: To disclose or not to disclose Tonnerre Lombard (Sep 28)
- <Possible follow-ups>
- Re: To disclose or not to disclose Elazar Broad (Sep 27)
- Re: To disclose or not to disclose Simon Smith (Sep 27)
- Re: To disclose or not to disclose Elazar Broad (Sep 28)