lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri Oct  7 10:14:41 2005
From: Kevin.Fielder at ge.com (Fielder, Kevin (GE Consumer Finance))
Subject: Websites vulnerabilities disclosure

Hi all,

Surely a better analogy would be you store many peoples property in your
home that has an improperly fitted front door.

You make money from the "secure" storing of this property, and the
customers assume that their property is safe with you.

If you leave the door in it's current state and refuse to fix it do your
customers (and potential customers) deserve to know?

I believe that businesses should be allowed a reasonable time to resolve
issues, but if they refuse and continue to put clients data and
businesses at risk then disclosure is not a bad thing.  If you found the
vulnerability sooner or later someone with nefarious intent will also.

Just my opinion of course (first post on this list as well..!)

Cheers

K

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Raghu
Chinthoju
Sent: 07 October 2005 10:09
To: offtopic
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Websites vulnerabilities disclosure

I say, "... hey listen! your house entrance door latch isn't strong
enough.. there are only 4 screws instead 16, which is the practice..
you have a risk of some one easily barging into your house ...". For
some reason you don't respond.. I publish it in the local news paper
that ".. Mr. X's door latch is week and any one can break it easily ..."
Do you think it is ethical??? I seriously think not.

More over, going by my personal experience, I think 5 out of 10
websites[1] would be vulnerable to some kind of security issue, like
running vulnerable versions of the web server, improper input validation
etc, which are just specific them and their clients. Would would be the
interest of general public on such issues? I don't think any one from
those sites would be part of bugtraq or FD as you mentioned that they
are not vendors. Your publication will only increase the magnitude of
their risk and doesn't do good to any one.
If you have time, try to provide them with the required knowledge or
fix. If you cant, just leave them at their fate and move on..

Raghu

[1] I dont have any data to support this.. If you dont agree, please do
so. You have every right to :)


On 10/6/05, offtopic <offtopic@...l.ru> wrote:
> Hi List.
> I need your opinion.
> Recently I found multiply vulnerabilities in several sites. some sites
behold to security-related firms but not software vendors. I'm trying to
contact that companies under rfpolicy several times but don't receive
any response on receive something like "what injection your talking
about?".
>
> I want to know - is it "ethical" to use standard vulnerability
disclosure policies to public websites? Which fird-party can't be user
as coordinator, like CERT/CC?
> Or in other worlds - who should care about Web-sites security?
> Thank you.
>
> (c)oded by offtopic@...l.ru
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ