Re: Full Disclosure of Security Vulnerabilities

[Patrick J Kobly <patrick () kobly com>]

jfvanmeter () comcast net wrote:
>  Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks ago 
> during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite that my 
> client has installed on thousands of workstation.
What was the nature of the contract under which you performed this 
work?  Was it a straight pen-test consulting gig?  Have you worked with 
this client before?  Do you wish to work with them again?

It sounds like you were contracted to do a pen-test and feed the results 
back to the client for risk assessment / mitigation.  It sounds like you 
were also asked to engage and liaise with the vendor with respect to 
discovered vulnerabilities.

This situation feels similar to the following hypothetical.  Say I was 
contracted to write some software for a client.  After writing the 
software, I decide that I want to release it to the net at large as an 
open source package.  If I didn't negotiate this with the client in the 
contract up front, I can't do it on the back end, without negotiating 
with them then - they own the software that I wrote, because it was a 
work for hire.

Now, I know there are probably no (legal) intellectual property rights 
in the discovery of a vulnerability, but from an ethical perspective, 
these situations feel familiar.
> I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit.
>   
Has the vendor indicated a time-frame within which they expect a fix?  
How prevalent is this software outside your client's organization?
> my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed on. I also don't believe the vendor will go public with it, what would you all do? 
>   
Have you / your client discovered / deployed reasonable mitigation 
strategies for use until the vendor repairs their faulty product?

At this point, I'd suggest that discretion is the better part of valor.  
Try to negotiate with your client a reasonable disclosure process.  
Suggest that you have a professional responsibility to consider the 
impact on other users of this software package.  Perhaps:

- Disclosure of vendor / package / presence and type of vulnerability 
(where this information does not directly point at an exploitation 
technique) on discovery
- Disclosure of vendor / package / presence of vulnerability to [list 
specific forums] with mitigation strategies upon discovery and 
implementation of mitigation strategies
- Full disclosure of vulnerability including exploit details / packet 
dumps / other evidence once vendor has released an update, or once you 
have evidence of exploitation in the wild

The point here is that your client needs to be on board.  This is _much_ 
easier to do in initial negotiations, before you conduct the pen-test - 
try working it into future contracts...

PK

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------