[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] To disclose or not to disclose

To: Simon Smith <simon@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] To disclose or not to disclose
From: Tonnerre Lombard <tonnerre.lombard@xxxxxxxxxx>
Date: Mon, 29 Sep 2008 08:14:43 +0200

Salut, Simon,

On Fri, 26 Sep 2008 23:39:34 -0400, Simon Smith wrote:
> 1-) Create a formal advisory, contact the vendor and notify them of
> the intent to release the advisory in a period of "n" days? If the
> vendor refuses to fix the issue does the security company still
> release the advisory in "n" days? Is that protecting the customer or
> putting the customer at risk? Or does it even change the risk level
> as their risk still exists.

Not good; this is usually interpreted as coercion by companies like
e.g. Cisco. I've seen cases where companies had all of their Cisco
accounts terminated because someone took this approach.

> 2-) Does the security company collect a list of users of the
> technology and notify those users one by one? The process might be
> very time consuming but by doing that the security company might not
> increase the risk faced by the users of the technology, will they?

There's a better way to do this than to find every single user: become
a member of a local CERT, and have the issue discussed there, for
example.

> 3-) Does the security company release a low level advisory that
> notifies users of the technology to contact the vendor in order to
> gain access to the technical details about the issue?

Do not nonymously release advisories for security issues the vendor has
not acknowledged! This is a straight road to trouble.

> I'm very interested to hear what people thin the "responsible" action
> would be here. It appears that this is a challenge that will at some
> level create risk for the customer. Is it impossible to do this
> without creating an unacceptable level of risk?

Sometimes other CERT members happen to have developer accounts for the
products in question, if such a thing exists. This allows you to create
a patch for the product and circulate it along with the advisory. This
minimizes the risk level for users of the product, of course.

                                Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33            Güterstrasse 86
Fax:+41 61 383 14 67            4053 Basel
Web:www.sygroup.ch              tonnerre.lombard@xxxxxxxxxx

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] To disclose or not to disclose
  - From: Simon Smith

Prev by Date: Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker's, extradition to US
Next by Date: [Full-disclosure] CAcert non-persistent XSS
Previous by thread: Re: [Full-disclosure] To disclose or not to disclose
Next by thread: Re: [Full-disclosure] To disclose or not to disclose
Index(es):
- Date
- Thread