[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43613C90.8020907@csuohio.edu>
Date: Thu Oct 27 21:46:58 2005
From: michael.holstein at csuohio.edu (Michael Holstein)
Subject: Question about ethics when discovering a
security fault in system
> My question is what is good ethics for me to continue with this? Sense I
> discovered it by mistake, and everyone can do the same thing and
> everyone can reproduce it. And it is a perimeter security device
> providing remote access from a large manufacturer. And might be a known
> problem by others than the manufacturer, how ever the product has only
> bean on the market for about 2 months.
You write up your advisory, like many that you see here, without
revealing the details of the exploit.
> What I want a resolution so the device we bought to provide us with
> remote access and security shall work securely and that the company
> shall inform other owner of there products about the problem so they
> wont have the same security breach.
Standard practice is to give the vendor a reasonable amount of time to
respond. (exact value of that depends on the person .. I'd say ~30 days
is average .. but some will wait until some number of days AFTER a patch
is released) -- then you release a modified version of your advisory
with the exploit details.
Sure .. others might discover it "by accident" .. but security
researchers that do that aren't the folks that'd write worms or go
hacking about. It's the scriptkiddies that read PoC code on FD and
elsewhere that do. Write the advisory (claim your credit of discovery),
leave out the gory details, and wait for the vendor (reasonably).
Sometimes you've got to nail them with PoC code to get the fire lit ..
but usually they don't like getting embarassed that way.
Cheers,
Michael Holstein CISSP GCIA
Cleveland State University
Powered by blists - more mailing lists