lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20080929081443.63514d57@wssyg122.sygroup-int.ch>
Date: Mon, 29 Sep 2008 08:14:43 +0200
From: Tonnerre Lombard <tonnerre.lombard@...roup.ch>
To: Simon Smith <simon@...soft.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: To disclose or not to disclose

Salut, Simon,

On Fri, 26 Sep 2008 23:39:34 -0400, Simon Smith wrote:
> 1-) Create a formal advisory, contact the vendor and notify them of
> the intent to release the advisory in a period of "n" days? If the
> vendor refuses to fix the issue does the security company still
> release the advisory in "n" days? Is that protecting the customer or
> putting the customer at risk? Or does it even change the risk level
> as their risk still exists.

Not good; this is usually interpreted as coercion by companies like
e.g. Cisco. I've seen cases where companies had all of their Cisco
accounts terminated because someone took this approach.

> 2-) Does the security company collect a list of users of the
> technology and notify those users one by one? The process might be
> very time consuming but by doing that the security company might not
> increase the risk faced by the users of the technology, will they?

There's a better way to do this than to find every single user: become
a member of a local CERT, and have the issue discussed there, for
example.

> 3-) Does the security company release a low level advisory that
> notifies users of the technology to contact the vendor in order to
> gain access to the technical details about the issue?

Do not nonymously release advisories for security issues the vendor has
not acknowledged! This is a straight road to trouble.

> I'm very interested to hear what people thin the "responsible" action
> would be here. It appears that this is a challenge that will at some
> level create risk for the customer. Is it impossible to do this
> without creating an unacceptable level of risk?

Sometimes other CERT members happen to have developer accounts for the
products in question, if such a thing exists. This allows you to create
a patch for the product and circulate it along with the advisory. This
minimizes the risk level for users of the product, of course.

				Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33		Güterstrasse 86
Fax:+41 61 383 14 67		4053 Basel
Web:www.sygroup.ch		tonnerre.lombard@...roup.ch

Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ