Penetration Testing mailing list archives
Re: [PEN-TEST] disclosure and contact information
From: "shawn . moyer" <shawn () net-connect net>
Date: Wed, 7 Mar 2001 23:38:54 -0600
Ben Ford wrote:
We both agree that the vulnerabilities should be made public on our website, but he does not want to give advance notification to companies. His reasoning for this is simple. He doesn't want to invest the time to track down contact information for each and every company and/or product we end up dealing with.
His point is valid, but is he willing to handle the bad press you may receive if you release a major advisory before notifying a vendor and the vendor raises a stink? Say for example someone found (shocking as it might seem) a nasty vulnerability in IIS that allowed, oh, say, the ability to pass remote shell commands through a web browser to the server as the Administrator user, it gets used to deface msn.com, and MS points the finger at you because they got hit with a zero-day sploit and you didn't go through the proper channels. For an up-and-coming company with no rep as of yet, you don't want to come off like that. Or maybe you do. Certain folks have leveraged a black hat rep a long way, but I dunno if that'll play in a lot of boardrooms. I'd define a reasonable response window (7 days or so), make a "best effort" to go through channels, and then post. This seems to be the reasonable rule of thumb. For a prudent and sane perspective, read RFPolicy. http://www.wiretrip.net/rfp/policy.html --shawn -- s h a w n m o y e r shawn () net-connect net The universe did not invent justice; man did. Unfortunately, man must reside in the universe. -- Zelazny
Current thread:
- [PEN-TEST] disclosure and contact information Ben Ford (Mar 07)
- Re: [PEN-TEST] disclosure and contact information Elias Levy (Mar 07)
- Re: [PEN-TEST] disclosure and contact information shawn . moyer (Mar 08)
- <Possible follow-ups>
- Re: [PEN-TEST] disclosure and contact information Cleary, Tom (Mar 07)