lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.NEB.4.33.0307181353440.2623-100000@wonderlan.midgard.net>
Date: Fri, 18 Jul 2003 13:57:08 -0700 (PDT)
From: Josh Daymont <joshd@...gard.net>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Disclosure-for-pay?



Regarding the ethics of demanding money for vulnerability information:
In most modern industrialized nations, asking a vendor to pay for the
details of a security vulnerability is both unethical, and is or should be
criminal extortion of both the vendor, and by extension, the vendor's
customers.  However, after many years of working in the security industry,
I've come to realize that in many parts of the world, including some
economically advanced Asian nations, this kind of activity is considered
either acceptable or is tolerated to a greater or lesser extent.  This is
by no means an excuse for the behavior, I only mention it so that you
don't jump to any conclusions about an intent or malice that this
individual may or may not have for your firm.

There are a number of things that can be done when these kinds of things
happen, but first and foremost you should take notice of two things: you
have been notified of a potential hole in your customer's networks and
also, frankly, a potential public relations liability for your firm.
Because of this you should try to stay to see if you can convince this
person to do the right thing and provide you with the information. Do not
give in to demands for money under any circumstances. One strategy in
these cases is to turn the tables on such a person by telling them that
you intend to make their identity public and state the truth about them,
which is that they are attempting to hold an ethical firm and its
customers hostage for cash. If the individual is reluctant to provide the
details, consider demanding that he or she provide some proof of the
vulnerability's existence, either through partial technical details or a
live exploit demonstration; then try to use these details to determine the
nature of what has been found. It's a generally accepted practice to give
credit to people outside of a firm for reporting a security vulnerability
in a responsible manner, perhaps this person would accept such
public credit as a career boost in leui of a ransom.  As a last resort,
consider contacting law enforcement or the NIPC (www.nipc.gov). In the
event that none of the above works, you can at least truthfully tell your
customers that you made a best effort to address the issue.

-Josh
http://www.mobile-secure.com/

On Wed, 16 Jul 2003, Jay D. Dyson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 16 Jul 2003, Talley, Brooks wrote:
>
> > My company recently received a communication from someone purporting to
> > know of a security vulnerability in our web application. The individual
> > stated that they would sign an NDA and report the details of the
> > vulnerability to us if we paid his "consulting fee" and provided future
> > services to him at no cost.
>
> 	Call me unruly, but that sounds like extortion to me.  Indeed,
> it's all too akin to someone knocking on your door and claiming they've
> found a way to steal your car...but if you'll give them free rides around
> town, they'll keep it quiet.
>
> > Is that kind of demand for payment for reporting a vulnerability at all
> > the norm?
>
> 	No, this is _not_ the norm.  If anything, it's unethical.  In some
> circles, it's considered illegal.  There have been a few people who've
> been pinched by law enforcement for such "offers."
>
> 	Bottom line: you didn't hire this individual to audit your
> applications, so he's out of line asking for compensation.
>
> - -Jay
>
>    (    (                                                        _______
>    ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
>  C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@...achery.net -----<) |    = |-'
>   `--' `--'  `Red meat isn't bad for you, fuzzy green meat is.'  `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQE/FdAcNlg1oZSC9mkRApDZAJ9+HllVA5MHP/3kaOg9n7aXe2CQPgCePlun
> y0c2+VQ9klvbfd5yMs90nvA=
> =pJOm
> -----END PGP SIGNATURE-----
>







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ