Full Disclosure mailing list archives
Re: To disclose or not to disclose
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Date: Mon, 29 Sep 2008 08:14:43 +0200
Salut, Simon, On Fri, 26 Sep 2008 23:39:34 -0400, Simon Smith wrote:
1-) Create a formal advisory, contact the vendor and notify them of the intent to release the advisory in a period of "n" days? If the vendor refuses to fix the issue does the security company still release the advisory in "n" days? Is that protecting the customer or putting the customer at risk? Or does it even change the risk level as their risk still exists.
Not good; this is usually interpreted as coercion by companies like e.g. Cisco. I've seen cases where companies had all of their Cisco accounts terminated because someone took this approach.
2-) Does the security company collect a list of users of the technology and notify those users one by one? The process might be very time consuming but by doing that the security company might not increase the risk faced by the users of the technology, will they?
There's a better way to do this than to find every single user: become a member of a local CERT, and have the issue discussed there, for example.
3-) Does the security company release a low level advisory that notifies users of the technology to contact the vendor in order to gain access to the technical details about the issue?
Do not nonymously release advisories for security issues the vendor has not acknowledged! This is a straight road to trouble.
I'm very interested to hear what people thin the "responsible" action would be here. It appears that this is a challenge that will at some level create risk for the customer. Is it impossible to do this without creating an unacceptable level of risk?
Sometimes other CERT members happen to have developer accounts for the products in question, if such a thing exists. This allows you to create a patch for the product and circulate it along with the advisory. This minimizes the risk level for users of the product, of course. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Güterstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard () sygroup ch
Attachment:
signature.asc
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- To disclose or not to disclose Simon Smith (Sep 26)
- Message not available
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Re: To disclose or not to disclose Simon Smith (Sep 27)
- Re: To disclose or not to disclose . (Sep 27)
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Re: To disclose or not to disclose AaRoNg11 (Sep 27)
- Message not available
- Re: To disclose or not to disclose Pavel Kankovsky (Sep 28)
- Re: To disclose or not to disclose M . B . Jr . (Sep 28)
- Re: To disclose or not to disclose Tonnerre Lombard (Sep 28)
- <Possible follow-ups>
- Re: To disclose or not to disclose Elazar Broad (Sep 27)
- Re: To disclose or not to disclose Simon Smith (Sep 27)
- Re: To disclose or not to disclose Elazar Broad (Sep 28)