lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Oct  5 18:47:00 2005
From: pmelson at gmail.com (Paul Melson)
Subject: Publicly Disclosing A Vulnerability

________________________________
Subject: RE: [Full-disclosure] Publicly Disclosing A Vulnerability

> So I ask the list- what is more beneficial to the customer? Not publicly
disclosing the 
> risk and hoping that they follow the suggestions of the vendor to upgrade?
Or waiting 
> 30 days and send it out?

Your customers need to be your main concern, since they literally own this
process.  Piss them off by disclosing a vulnerability that they have and
cannot fix, and you can bet that it'll be the last time you do business with
them.  Might wanna check your paperwork, too - you may hold some liability
to them if you disclose this vulnerability.  

Of course, if you have multiple customers that are using the vulnerable
product, your life is even more complicated.  You may choose to discreetly
inform them that a vulnerability has been discovered and that they should
consider upgrading.  That is an ethical and responsible course of action,
but it may violate your other customer's trust.  Hence, discretion.

Once your customers are taken care of, you can look at responsible
disclosure avenues.  But I would implore that as long as the vendor commits
to releasing a patch or notifying their customers that you don't do
something to sabotage their efforts like releasing an exploit or even a
detailed advisory before they've had a chance to handle it.

Which reminds me, if the currently undisclosed nature of this vulnerability
is allowing your customers to consider not acting, then you need to press
harder.  My experience has taught me that responsible vulnerability
disclosure is a thankless job.  Customers are confused, vendors are angry,
and more often than not, there is no glory for you as someone else will
discover and disclose the same vulnerability before you're done handling it
the correct way.


PaulM

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ