Home page logo
/

bugtraq logo Bugtraq mailing list archives

Submission
From: hellnbak () HUSHMAIL COM
Date: Mon, 27 Nov 2000 10:52:54 -0700

Don't know if you post this kind of lame shit, but I thought I would toss
this together and see what it comes up with.

------------------------------------------------------------------------
------------------------------------------------------------------------
---

Vedor Response and Reporting Vulnerabilities.
Written by:  HellNbak (hellNbak () hushmail com)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

At risk of started the age old "Full Disclosure" debate again, I felt that
I had
to write this.  It seems lately, that the so called security industry has
lost its
backbone.  To quote a director of a popular security portal; "The whole
thing is
just sickening, I am waiting for someone to say something about it".  Well,
 here
is your someone.

What is sickening you ask?  The recent rash of advisories that contain the
following
text:  "I had contacted the vendor 3 days ago but they have not fixed the
problem".
Then we will see a response from the vendor detailing how irresponsible
and
uncooperative the person has been and how they are trying to get a fix rolled
out.

Lets look at some of the recent Georgi Guninski advisories as these are
the best
example.  Lets look at some message threads recently found on Bugtraq and
Win2KSecAdvice.  Thank you to Neohapsis for the excellent archive of these
plus
other lists.

http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0054.html
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0055.html
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0056.html

The first URL set details a problem that Georgi found with a Microsoft product.
 Georgi
decided that Microsoft needed only four (4) days to verify and fix the problem(s)
he
found.  The message thread is a little interesting as Microsoft took the
time to point
out the level of cooperation recieved by Georgi.

http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0074.html

This URL is another Georgi advisory, again only giving the vendor, who happens
to
be Microsoft again four (4) days to fix the problem.

Lets refer to RFPolicy 2.0, http://www.wiretrip.net/rfp/policy.html.

------------------------------------------------------------------------
------------
"B. The MAINTAINER is to be given 5 working days (in respects to the
ORIGINATOR) from the DATE OF CONTACT; should no contact occur by the end
of 5 working days, the ORIGINATOR should disclose the ISSUE. Should the
MAINTAINER contact the ORIGINATOR within the 5 working days, it is at the
discretion of the ORIGINATOR to delay disclosure past 5 working days. The
decision
to delay should be passed upon active communication between the ORIGINATOR
and
MAINTAINER.

C. Requests from the MAINTAINER for help in reproducing problems or for
additional
information should be honored by the ORIGINATOR. The ORIGINATOR is encouraged
to delay
disclosure of the ISSUE if the MAINTAINER provides feasible reasons for
requiring so.

D. If the MAINTAINER goes beyond 5 working days without any communication
to the
ORIGINATOR, the ORIGINATOR may choose to disclose the ISSUE. The MAINTAINER
is
responsible for providing regular status updates (regarding the resolution
of the ISSUE)
at least once every 5 working days.

E. In respect for the ORIGINATOR following this policy, the MAINTAINER is
encouraged to
provide proper credit to the ORIGINATOR for doing so. Failure to document
credit to the
ORIGINATOR may leave the ORIGINATOR unwilling to follow this policy with
the same
MAINTAINER on future issues, at the ORIGINATOR's discretion. Suggested (minimal)
credit
would be:

"Credit to [ORIGINATOR] for disclosing the problem to [MAINTAINER]."

F. The MAINTAINER is encouraged to coordinate a joint public release/disclosure
with the
ORIGINATOR, so that advisories of problem and resolution can be made available
together."

------------------------------------------------------------------------
-------------------

From reading this section of RFPolicy, it is clear that Georgi Guninski
was not too far
off of the mark by only giving Microsoft four days to respond.  But was
he really?  Did
Georgi cooperate with Microsoft?  According to Microsoft he did not.  Georgi
himself claimed
to not be required to work with Microsoft for free.

Lets jump away from this for a minute so I can clarify a few things.

A.)  I am not a Microsoft employee or even all that pro-Microsoft.  I am
using Microsoft as
my example as I do feel that they are treated unfairly by most when reporting
vulnerabilities.

B.)  There is nothing forcing Georgi or anyone for that matter to follow
RFPolicy, but the
policy is a good idea and is very sound, so why not follow it.

C.)  This one is important, for those of you who do not know, Georgi Guninski
is a security
contractor.  Currently, he is under contract with AOL/Netscape.  Hmmmmmm......

OK, with that being said many of you are probably thinking that Georgi is
not allowed to
cooperate with Microsoft because of his job with Netscape/AOL.  To be blunt,
 this is
nothing more than a lame excuse.  Companies work with their competitors
over security
holes constantly.  In fact, I have seen advisories (the recent MS Network
Monitor ones as an
example) that contain issues worked on by two very competitive companies,
 ISS and NAI.

Could one assume that Georgi is only releasing his vulnerabilities in this
fashion because
Microsoft is a competitor?  What is Georgi's job description at Netscape?
 Why is Georgi
only concentrating on Microsoft products?  Something smells here, and for
once it is not
Microsoft.

I am a supporter of full disclosure, or should I say RESPONSIBLE full disclosure.
 It seems
to me that people like Georgi Guninski while they claim to support full
disclosure obviously
support it for reasons other than the good of the security community.  A
security professional
has a responsibility to report issues to vendors and to work with vendors
to solve them.  Doing this
gets you the security professional recognition from the vendor and looks
great on a resume.  Being
irresponsible does not.

I know a lot of you are probably thinking that this rant is pointed directly
at Georgi and I guess
it is as he is probably the largest offender.  Georgi, take this message
for what it is worth, you
are no longer doing the security industry a service, you are letting people
know that AOL/Netscape and
their big pockets can take a once respected person and obviously very intelligent
security professional
and use them to do their bidding.

Send your flames and comments to hellnbak () hushmail com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault