Re: Scanners and unpublished vulnerabilities - Full Disclosure

[Philippe De ARAUJO <philippe_dearaujo () yahoo fr>]

Beside all commercial involvement, i'm agree with that
point of view.

I also work in that business and these kind of
questions are everlasting customers ones.

As Renaud Deraison said, a good way is probably making
closer links between the scanner editors and the
product editors.

An idea could be  :
 - Create a kind of "Ethical Vulnerability Find
Process" label
 - say someone gets a new vulnerability, he sends the
information to the product editor AND the others
security scanner actors,
 - Let time pass (say 1 or 2 weeks) giving the product
editor time to create the patch
 - When the editors publish the patch ( ASAP of course
;-)) , they accept to 
       * give credits to the one who discovered the
point
       * show the date of the discover
 - When a vulnerability scanner is done, the reports
ALSO gives the credits

This way :
 - The Vulnerability Finder will keep credit of the
discover (all process and actors long),

 - Scanner and Product Editors can prove they
reactivity ( more and more important for customers ).
In a business point of view, they also can money it.

 - A client can get any scanner only depending on his
needs and the product functionalities.

 - Scanner Editors get free advertising from the
product and scanner editors

 - Give faith in the products with that FREE label
(customers who think about 'doctors are also the
creators' will see the origine and date of the
discover and if the product editor is aware of
security).

 - If a vuln. finding race is start, everybody win.


I know this idea looks like utopia but i'm certain
that getting closer of it will pay attention to
security points, so, give faith and ease the security
officer job.

Best regards,

 --- zol () hushmail com a écrit : > 
> A lot of emotion on both part !!! ;-)
> Let's try not to be sensitive, this is an open
> discussion
> between people who share some ideas ;-)
>
> I jut want to review the concept, perhaps i'm wrong
> : 
> 1- David find a new vuln, insert the detection in
> his scanner
> 2- He send the bug to the vendor and wait one week
> to published it even
> if the patch is not released.
>
> - Let's think about the future if all the
> vulnerability assesment scanners adopt
> the same strategy.
> ( Of course not only NGS can discover new
> vulnerability ;-) )
> It could become a race between competitors to
> provide NEW vulnerability
> detection. Of course such emulation is good but it
> can move to the dark side.
> Yep we can easly imagine the scanners guys hiding
> their discoveries and keeping
> them for their customers only !
> What i see in this case is that people who buy such
> product will be lost :
> which one to choose ? which one have the best 0-day
> ? this is really fun,
> isn't it ?
> I just imagined what could be the future even if
> david plan to publish his vuln,
> and it brings me to my second point :
>
> - Publishing a vulnerability is a question of policy
> everyone is free
> to do whatever he wants.
> For me i would say it's a little bit hazardous to
> publish a vulnerability
> if a vendor patch is not ready.
>
> These days there is more and more talented people in
> the security area,
> bad guys, good guys,...;-) and these days we can say
> that the script kiddy definition has changed : Now a
> script kiddy is someone which can write an exploit
> thanks to the advisory..... 
> If no patch is provided you will see a lot of system
> compromised !
> In fact more than if it was not published.
> Also it could happen that there is not workaround
> except the vendor
> patch to avoid the vuln. In the case you will ask
> your customer to turn
> his service down ?
>
> Ok i hope it was clear just to summarize :
> - all the vulnerability scanners will do the same (
> NGS like the
> others want to do business ) and customers will be
> lost.
> - publishing vulnerability before the patch is done
> is a hudge risk. 
>
> Thanks and i hope that nobody was offended.
>
> zol
>
>
>
> Hush provide the worlds most secure, easy to use
> online applications - which solution is right for
> you?
> HushMail Secure Email http://www.hushmail.com/
> HushDrive Secure Online Storage
> http://www.hushmail.com/hushdrive/
> Hush Business - security for your Business
> http://www.hush.com/
> Hush Enterprise - Secure Solutions for your
> Enterprise http://www.hush.com/
>
> Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA
> service which
> automatically alerts you to the latest security
> vulnerabilities please see:
> https://alerts.securityfocus.com/
>  

___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/