Re: Full Disclosure of Security Vulnerabilities

[jfvanmeter () comcast net]

Hello Patrick
 -------------- Original message ----------------------
From: Patrick J Kobly <patrick () kobly com>
> jfvanmeter () comcast net wrote:
> >  Hello Everyone, I would llike to get your thoughts on Full Disclosure of 
> Security Vulnerabilities . About 3 weeks ago during a per-test of a software 
> suite for a client of myine, I found a directory traversal in a software suite 
> that my client has installed on thousands of workstation.
> What was the nature of the contract under which you performed this 
> work?  Was it a straight pen-test consulting gig?  Have you worked with 
> this client before?  Do you wish to work with them again?
>
> It sounds like you were contracted to do a pen-test and feed the results 
> back to the client for risk assessment / mitigation.  It sounds like you 
> were also asked to engage and liaise with the vendor with respect to 
> discovered vulnerabilities.
>
> This situation feels similar to the following hypothetical.  Say I was 
> contracted to write some software for a client.  After writing the 
> software, I decide that I want to release it to the net at large as an 
> open source package.  If I didn't negotiate this with the client in the 
> contract up front, I can't do it on the back end, without negotiating 
> with them then - they own the software that I wrote, because it was a 
> work for hire.
>
> Now, I know there are probably no (legal) intellectual property rights 
> in the discovery of a vulnerability, but from an ethical perspective, 
> these situations feel familiar.
> > I send screen shots and a packet capture to the vendor and they were able to 
> to recreate the exploit.
> >   
> Has the vendor indicated a time-frame within which they expect a fix?  
No
> How prevalent is this software outside your client's organization?
The client has thousand of them, so potential there could be a large number of organizations that have hunderds

> > my cleint doesn't want to go public with it because of the thousands of 
> workstations and servers that its installed on. I also don't believe the vendor 
> will go public with it, what would you all do? 
> >   
> Have you / your client discovered / deployed reasonable mitigation 
> strategies for use until the vendor repairs their faulty product?
Currently I'm working on using IPSec to control access to the ports

> At this point, I'd suggest that discretion is the better part of valor.  
> Try to negotiate with your client a reasonable disclosure process.  
> Suggest that you have a professional responsibility to consider the 
> impact on other users of this software package.  Perhaps:
>
> - Disclosure of vendor / package / presence and type of vulnerability 
> (where this information does not directly point at an exploitation 
> technique) on discovery
> - Disclosure of vendor / package / presence of vulnerability to [list 
> specific forums] with mitigation strategies upon discovery and 
> implementation of mitigation strategies
> - Full disclosure of vulnerability including exploit details / packet 
> dumps / other evidence once vendor has released an update, or once you 
> have evidence of exploitation in the wild
>
> The point here is that your client needs to be on board.  This is _much_ 
> easier to do in initial negotiations, before you conduct the pen-test - 
> try working it into future contracts...
>
> PK


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------