Date: Sun, 28 Sep 2008 01:21:56 +0000
From: "Elazar Broad" <elazar@...hmail.com>
To: full-disclosure@...ts.grok.org.uk, simon@...soft.com
Subject: Re: To disclose or not to disclose

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would opt for #1, additionally, contacting CERT and other quasi-
government security organizations would be a plus, they might have
better luck lighting a fire under the theoretical vendors ass...

elazar

On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith <simon@...soft.com>
wrote:
>Greetings,
>	I have a theoretical question of ethics for other security
>professionals that participate in this list. This is not an actual
>situation, but it is a potentially realistic situation that I'm
>interested in exploring and finding an acceptable solution to.
>
>	Supposed a penetration testing company delivers a service to a
>customer. That customer uses a technology that was created by a
>third
>party to host a critical component of their infrastructure. The
>penetration testing company identifies several critical flaws in
>the
>technology and notifies the customer, and the vendor.
>
>	One year passes and the vendor had done nothing to fix the issue.
>The
>customer is still vulnerable and they have done nothing to change
>their
>level of risk and exposure. In fact, lets say that the vendor flat
>out
>refuses to do anything about the issue even though they have been
>notified of the problem. Lets also assume that this issue affects
>thousands of customers in the financial and medical industry and
>puts
>them at dire risk.
>
>	What should the security company do?
>
>1-) Create a formal advisory, contact the vendor and notify them
>of the
>intent to release the advisory in a period of "n" days? If the
>vendor
>refuses to fix the issue does the security company still release
>the
>advisory in "n" days? Is that protecting the customer or putting
>the
>customer at risk? Or does it even change the risk level as their
>risk
>still exists.
>
>2-) Does the security company collect a list of users of the
>technology
>and notify those users one by one? The process might be very time
>consuming but by doing that the security company might not
>increase the
>risk faced by the users of the technology, will they?
>
>3-) Does the security company release a low level advisory that
>notifies
>users of the technology to contact the vendor in order to gain
>access to
>the technical details about the issue?
>
>4-) Does the security company do something else? If so, what is
>the
>appropriate course of action?
>
>5-) Does the security company do nothing?
>
>I'm very interested to hear what people thin the "responsible"
>action
>would be here. It appears that this is a challenge that will at
>some
>level create risk for the customer. Is it impossible to do this
>without
>creating an unacceptable level of risk?
>
>Looking forward to real responses (and troll responses too...
>especially
>n3td3v).
>
>--
>
>- simon
>
>----------------------
>http://www.snosoft.com
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkje3DUACgkQi04xwClgpZgNygP/QqmBS7EsjbZlKzVML7Cyl7oeSWlF
ROUxBygcf6uoXzHK0dOYDeCSltj+OZNOZHT8e2rcHp65XOJEqbZ8kfcU8tjeyVrYSr6k
kcyEzaNg0AijElSu4h2mBmig5c7LVbp8oqpASlTFccmlEDzjWFAo+uH01kDNEe6acM12
X/natz8=
=70tc
-----END PGP SIGNATURE-----

--
Enhance your home's curb appeal with name brand shutters. Click now.
http://tagline.hushmail.com/fc/Ioyw6h4dZrivVCHacmH7slSOQiWoYLmDiE5JIGDw7AHpcvidVlB4EY/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists