lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Oct 27 21:46:58 2005
From: michael.holstein at csuohio.edu (Michael Holstein)
Subject: Question about ethics when discovering a
	security fault in system

> My question is what is good ethics for me to continue with this? Sense I 
> discovered it by mistake, and everyone can do the same thing and 
> everyone can reproduce it. And it is a perimeter security device 
> providing remote access from a large manufacturer. And might be a known 
> problem by others than the manufacturer, how ever the product has only 
> bean on the market for about 2 months.

You write up your advisory, like many that you see here, without 
revealing the details of the exploit.

> What I want a resolution so the device we bought to provide us with 
> remote access and security shall work securely and that the company 
> shall inform other owner of there products about the problem so they 
> wont have the same security breach.

Standard practice is to give the vendor a reasonable amount of time to 
respond. (exact value of that depends on the person .. I'd say ~30 days 
is average .. but some will wait until some number of days AFTER a patch 
is released) -- then you release a modified version of your advisory 
with the exploit details.

Sure .. others might discover it "by accident" .. but security 
researchers that do that aren't the folks that'd write worms or go 
hacking about. It's the scriptkiddies that read PoC code on FD and 
elsewhere that do. Write the advisory (claim your credit of discovery), 
leave out the gory details, and wait for the vendor (reasonably).

Sometimes you've got to nail them with PoC code to get the fire lit .. 
but usually they don't like getting embarassed that way.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ