lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200510271151.09775.requiem@praetor.org>
Date: Thu Oct 27 19:52:13 2005
From: requiem at praetor.org (Jeremy Bishop)
Subject: Question about ethics when discovering a
	security fault in system

On Thursday 27 October 2005 11:28, Torbj?rn Samuelsson wrote:
> Hi
>
> I stumbled upon a security fault (discovered it by mistake) this
> Sunday in a perimeter security device.
> The day after I contacted the manufacturer and informed them about it
> and later that evening the acknowledged the problem and they where
> able to reproduce it.

This sounds like a decent response time.  Was it a "we looked into this 
and it seems you are correct" response that you received, or something 
closer to "yeah, we already know about that and don't really care"?

> My question is what is good ethics for me to continue with this?

> What I want a resolution so the device we bought to provide us with
> remote access and security shall work securely and that the company

So, you are also a customer?  This gives you excellent grounds for 
asking how the company plans to correct this flaw.  Since it seems 
their initial response was both prompt and favorable, it's likely that 
some sort of update will be made available.  Your responsibility is to 
find a way to mitigate the current risk to your company until a fix is 
in place.  This usually includes allowing some time for the company to 
produce such a fix.  Going immediately public with the flaw is less 
than polite to the company, and will also jeopardize your own company.  
(I.e. People will now not only about the flaw, but about someone who is 
vulnerable to it: you.)

> shall inform other owner of there products about the problem so they
> wont have the same security breach.

It is possible that the company may do this on their own.  You don't 
have a responsibility to their other customers, only a more generalized 
responsibility to the community.  Custom on this list is that the 
vulnerability is revealed after a reasonable time.  "Reasonable" is a 
balance between allowing the vendor to produce a fix (so that when the 
problem is announced, people aren't needlessly exposed) and alerting 
the community to a problem (because it's likely someone else already 
knows about the problem, and is exploiting it).

Jeremy

-- 
...would you work for a company that couldn't tell the difference in
quality of its employees' normal work product and the work product of
someone on drugs without performing a test?
              -- socks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ