Full Disclosure mailing list archives
Re: To disclose or not to disclose
From: "Elazar Broad" <elazar () hushmail com>
Date: Sun, 28 Sep 2008 17:54:08 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon, If the issue really involves critical infrastructure you can expect(to an extent) many government and quasi-government organizations to step in and pressure the vendor to fix the issue before you go public. A real world example. At a recent conference, I was talking to a security executive of a rather large utility and the recently disclosed Citec issue came up. He mentioned that he was at a certain government organizations lab while they were assessing the issue based on the information they received from CORE. If you read CORE's disclosure timeline, the real fire hadn't been lit until this organization, along with some others, stepped in and really got under the vendor's skin. He also mentioned how clueless Citec's initial response was, but thats another story. Given the general awareness of these organizations of the fact that critical infrastructure vulnerabilities = potentially major problems, I think setting a deadline(which will probably be extended at the behest of these organizations) for the vendor is not a bad idea, and the chances of the issue getting fixed before you spill the beans are pretty high. You can't forget the "somewhat" obvious as well, if you found it, someone else can find it too. As far as the vendor is concerned, well, we all know what happened to a certain electronic voting machine vendor...Look, I'm not expert, this is just my .02... elazar On Sun, 28 Sep 2008 03:01:08 +0000 Simon Smith <simon () snosoft com> wrote:
Elazar, I suppose that could be a good action, but doing that would potentially put the security companies customer at risk. Granted, in the argument they were already notified of the risk. So the question is, is that the ethical choice? Is that a good business choice? Elazar Broad wrote:I would opt for #1, additionally, contacting CERT and otherquasi-government security organizations would be a plus, they mighthavebetter luck lighting a fire under the theoretical vendors ass... elazar On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith<simon () snosoft com>wrote:Greetings, I have a theoretical question of ethics for other security professionals that participate in this list. This is not anactualsituation, but it is a potentially realistic situation that I'm interested in exploring and finding an acceptable solution to.Supposed a penetration testing company delivers a service to a customer. That customer uses a technology that was created by a third party to host a critical component of their infrastructure. The penetration testing company identifies several critical flawsinthe technology and notifies the customer, and the vendor.One year passes and the vendor had done nothing to fix theissue.The customer is still vulnerable and they have done nothing tochangetheir level of risk and exposure. In fact, lets say that the vendorflatout refuses to do anything about the issue even though they havebeennotified of the problem. Lets also assume that this issueaffectsthousands of customers in the financial and medical industryandputs them at dire risk.What should the security company do?1-) Create a formal advisory, contact the vendor and notifythemof the intent to release the advisory in a period of "n" days? If the vendor refuses to fix the issue does the security company stillreleasethe advisory in "n" days? Is that protecting the customer orputtingthe customer at risk? Or does it even change the risk level astheirrisk still exists.2-) Does the security company collect a list of users of the technology and notify those users one by one? The process might be verytimeconsuming but by doing that the security company might not increase the risk faced by the users of the technology, will they?3-) Does the security company release a low level advisory that notifies users of the technology to contact the vendor in order to gain access to the technical details about the issue?4-) Does the security company do something else? If so, what is the appropriate course of action?5-) Does the security company do nothing?I'm very interested to hear what people thin the "responsible" action would be here. It appears that this is a challenge that will at some level create risk for the customer. Is it impossible to do this without creating an unacceptable level of risk?Looking forward to real responses (and troll responses too... especially n3td3v).--- simon---------------------- http://www.snosoft.com_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Self Storage Options - Click Here. http://tagline.hushmail.com/fc/Ioyw6h4eNgR1BRhFB3CXCR61VEtfAqJ45ZV3 4qDMKcjsXBCGM0kWG5/ -- - simon ---------------------- http://www.snosoft.com
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkjfxMEACgkQi04xwClgpZjClAP/frm/enc7E52FjvW7QWhEbtZCJ8Kr /PM1o20qCZV9RdwP8IJhfbg3aF4ko3VrJcsFTuHSp5w5Pi4O/k6l3Vggak3cRlejN26q 9nIjHl8C0V4KaismHL5cXS7OZKyDFI9uMnw/Mpmao5bF7+jxdo1qK6nnrBawojtRwifg tjJTQic= =OqUn -----END PGP SIGNATURE----- -- Hotel pics, info and virtual tours. Click here to book a hotel online. http://tagline.hushmail.com/fc/Ioyw6h4eRClAkcJxO5raG2q61I2CHdEok8REye7AsAlE6A964lyJ9u/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- To disclose or not to disclose Simon Smith (Sep 26)
- Message not available
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Re: To disclose or not to disclose Simon Smith (Sep 27)
- Re: To disclose or not to disclose . (Sep 27)
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Message not available
- Re: To disclose or not to disclose Pavel Kankovsky (Sep 28)
- Re: To disclose or not to disclose M . B . Jr . (Sep 28)
- Re: To disclose or not to disclose Tonnerre Lombard (Sep 28)
- <Possible follow-ups>
- Re: To disclose or not to disclose Elazar Broad (Sep 27)
- Re: To disclose or not to disclose Simon Smith (Sep 27)
- Re: To disclose or not to disclose Elazar Broad (Sep 28)