lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 27 Sep 2008 22:07:56 +0100
From: AaRoNg11 <aarong11@...il.com>
To: "Simon Smith" <simon@...soft.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: To disclose or not to disclose

Well, if you've already warned your client that their software is vulnerable
and they haven't changed to an alternative, then it's fine to release an
advisory with all of the details.

I really don't understand why they'd pay for a penetration test to not take
action if their software was vulnerable. If the vendor is extremely
unresponsive to any information, it may be the case that releasing the
technical details to the public are the only way to get them to take notice.
Just think, you might not be the only person who has found out about the
exploit. There might be some black hat hacker somewhere using it to meet
their own ends. Some vendors are just like that though; they refuse to do
anything until it's too late. Maybe they'll start taking notice of bug
reports after this happening a few times and losing half of their clients.

On Sat, Sep 27, 2008 at 6:25 PM, Simon Smith <simon@...soft.com> wrote:

> Great replies guys!
>
>        So lets take this a step further. Lets suppose (again just theory)
> that
> the security company did notify the software vendor and did tell the
> vendor where the security issues were in their technology, how to
> exploit the issues, provided a proof of concept, and provided clear and
> actionable methods for remediation. Lets then say that the software
> vendor flat out, point blank, rejected that information and refused to
> implement any fixes.
>
>        Just to make this more interesting, lets say that this all happened
> over one year ago. Lets also say that the customer who was being tested
> by the security company and that is using the vulnerable software has
> yet to address the vulnerability in their own network too.
>
>        Is it the ethical duity of the security company to release an
> advisory?
> Does that advisory put the customer at risk? It is clearly unethical to
> do nothing and to leave everyone else at risk. How to proceed?
>
> --
>
> - simon
>
> ----------------------
> http://www.snosoft.com
>
>
-- 
Aaron Goulden

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ