lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 26 Sep 2008 23:39:34 -0400
From: Simon Smith <simon@...soft.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: To disclose or not to disclose

Greetings,
	I have a theoretical question of ethics for other security
professionals that participate in this list. This is not an actual
situation, but it is a potentially realistic situation that I'm
interested in exploring and finding an acceptable solution to.

	Supposed a penetration testing company delivers a service to a
customer. That customer uses a technology that was created by a third
party to host a critical component of their infrastructure. The
penetration testing company identifies several critical flaws in the
technology and notifies the customer, and the vendor.

	One year passes and the vendor had done nothing to fix the issue. The
customer is still vulnerable and they have done nothing to change their
level of risk and exposure. In fact, lets say that the vendor flat out
refuses to do anything about the issue even though they have been
notified of the problem. Lets also assume that this issue affects
thousands of customers in the financial and medical industry and puts
them at dire risk.

	What should the security company do?

1-) Create a formal advisory, contact the vendor and notify them of the
intent to release the advisory in a period of "n" days? If the vendor
refuses to fix the issue does the security company still release the
advisory in "n" days? Is that protecting the customer or putting the
customer at risk? Or does it even change the risk level as their risk
still exists.

2-) Does the security company collect a list of users of the technology
and notify those users one by one? The process might be very time
consuming but by doing that the security company might not increase the
risk faced by the users of the technology, will they?

3-) Does the security company release a low level advisory that notifies
users of the technology to contact the vendor in order to gain access to
the technical details about the issue?

4-) Does the security company do something else? If so, what is the
appropriate course of action?

5-) Does the security company do nothing?

I'm very interested to hear what people thin the "responsible" action
would be here. It appears that this is a challenge that will at some
level create risk for the customer. Is it impossible to do this without
creating an unacceptable level of risk?

Looking forward to real responses (and troll responses too... especially
n3td3v).

-- 

- simon

----------------------
http://www.snosoft.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ