[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2abd77e70809271407o7d211b28w74a4e5e84a725301@mail.gmail.com>
Date: Sat, 27 Sep 2008 22:07:56 +0100
From: AaRoNg11 <aarong11@...il.com>
To: "Simon Smith" <simon@...soft.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: To disclose or not to disclose
Well, if you've already warned your client that their software is vulnerable
and they haven't changed to an alternative, then it's fine to release an
advisory with all of the details.
I really don't understand why they'd pay for a penetration test to not take
action if their software was vulnerable. If the vendor is extremely
unresponsive to any information, it may be the case that releasing the
technical details to the public are the only way to get them to take notice.
Just think, you might not be the only person who has found out about the
exploit. There might be some black hat hacker somewhere using it to meet
their own ends. Some vendors are just like that though; they refuse to do
anything until it's too late. Maybe they'll start taking notice of bug
reports after this happening a few times and losing half of their clients.
On Sat, Sep 27, 2008 at 6:25 PM, Simon Smith <simon@...soft.com> wrote:
> Great replies guys!
>
> So lets take this a step further. Lets suppose (again just theory)
> that
> the security company did notify the software vendor and did tell the
> vendor where the security issues were in their technology, how to
> exploit the issues, provided a proof of concept, and provided clear and
> actionable methods for remediation. Lets then say that the software
> vendor flat out, point blank, rejected that information and refused to
> implement any fixes.
>
> Just to make this more interesting, lets say that this all happened
> over one year ago. Lets also say that the customer who was being tested
> by the security company and that is using the vulnerable software has
> yet to address the vulnerability in their own network too.
>
> Is it the ethical duity of the security company to release an
> advisory?
> Does that advisory put the customer at risk? It is clearly unethical to
> do nothing and to leave everyone else at risk. How to proceed?
>
> --
>
> - simon
>
> ----------------------
> http://www.snosoft.com
>
>
--
Aaron Goulden
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists