Re: [PEN-TEST] disclosure and contact information

["shawn . moyer" <shawn () net-connect net>]

Ben Ford wrote:

> We both
> agree that the vulnerabilities should be made public on our website, but
> he does not want to give advance notification to companies.  His
> reasoning for this is simple.  He doesn't want to invest the time to
> track down contact information for each and every company and/or product
> we end up dealing with.

His point is valid, but is he willing to handle the bad press you may
receive if you release a major advisory before notifying a vendor and
the vendor raises a stink?

Say for example someone found (shocking as it might seem) a nasty
vulnerability in IIS that allowed, oh, say, the ability to pass remote
shell commands through a web browser to the server as the Administrator
user, it gets used to deface msn.com, and MS points the finger at you
because they got hit with a zero-day sploit and you didn't go through
the proper channels.

For an up-and-coming company with no rep as of yet, you don't want to
come off like that. Or maybe you do. Certain folks have leveraged a
black hat rep a long way, but I dunno if that'll play in a lot of
boardrooms.

I'd define a reasonable response window (7 days or so), make a "best
effort" to go through channels, and then post. This seems to be the
reasonable rule of thumb. For a prudent and sane perspective, read
RFPolicy. http://www.wiretrip.net/rfp/policy.html





--shawn


--

s h a w n   m o y e r
shawn () net-connect net


The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

                                        -- Zelazny