Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

it's all about timing
From: full-disclosure () lists netsys com (Dave Killion)
Date: Wed, 31 Jul 2002 14:59:59 -0700

Florin,

I agree with you completely.  From what I understand this vulnerability is
about a year old, although I'm not knowledgeable enough to say that with
authority.  If it's true, then I believe the 2-4 week requirement has been
satisfied.

-Dave

*************************** NOTICE **************************
Opinions expressed in this email are solely my own, and do 
not reflect the attitudes, policy, or opinion of my employer.
*************************************************************


-----Original Message-----
From: Florin Andrei [mailto:florin () sgi com] 
Sent: Wednesday, July 31, 2002 2:27 PM
To: bugtraq () securityfocus com
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] it's all about timing


(i'm going to go a little bit further from the HP/Snosoft case, so don't be
surprised if some of the statements below do not fit 100% in that
case)

All these problems will vanish if people will choose to disclose
vulnerabilities in a responsible way. Sure, HP's response has been harsh.
But every security problem (especially when it's accompanied by an exploit)
should be reported first to the vendor! There should be no exception from
this rule. The person doing the reporting should give the vendor a
reasonable period of time to fix it; say, a few weeks or so.

Only if the vendor does nothing in these weeks, only then the
report/exploit/whatever should be made public.

If hacker H writes a comment on Slashdot, making public an exploit against
some software made by vendor V, and does not notify V in advance (say, 2...4
weeks in advance), and then V sues H, then who's right?

H is right, because (s)he disclosed a vulnerability, and disclosing is good.
V is right, because not being warned in advance, their customers are left to
the mercy of script kiddies. H is wrong, because (s)he's obviously looking
for cheap publicity (i published a zero-day exploit; mine is bigger), not
for improving security. V is wrong, because they are filing a lawsuit
against open disclosure, which is not a good thing.

See?

And the solution is so simple: DO NOT publish "zero-day exploits". Give the
damn vendors an early warning. Only if they are lazy and do nothing within a
reasonable time (2...4 weeks), only then you are entitled to go
slashdot-happy.

I'm a big fan of open disclosure, freedom of speech, etc. But people who
look for cheap publicity are not my favourites. If H is going to publish the
exploit without early warning, i'll say V has all the rights in the world to
sue the crap out of H, and put him(her) in jail for one thousand years, and
i'll applaud that. However, if there was an early warning, within a
reasonable time, like one month or so (unlike some popular security
companies did recently), and the vendor did nothing and didn't provide a
good reason for the delay (because such reasons could exist, if you think of
it), then H is 100% entitled to publish whatever exploit he likes.

It's all about timing. It's all about being reasonable.

-- 
Florin Andrei

"Some times are fuzzier than others." - Dan Farmer & Wietse Venema

_______________________________________________
Full-Disclosure - We believe in it. Full-Disclosure () lists netsys com
http://lists.netsys.com/mailman/listinfo/full-disclosure


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]