mailing list archives
RE: Publicly Disclosing A Vulnerability
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 5 Oct 2005 13:46:49 -0400
Subject: RE: [Full-disclosure] Publicly Disclosing A Vulnerability
So I ask the list- what is more beneficial to the customer? Not publicly
risk and hoping that they follow the suggestions of the vendor to upgrade?
30 days and send it out?
Your customers need to be your main concern, since they literally own this
process. Piss them off by disclosing a vulnerability that they have and
cannot fix, and you can bet that it'll be the last time you do business with
them. Might wanna check your paperwork, too - you may hold some liability
to them if you disclose this vulnerability.
Of course, if you have multiple customers that are using the vulnerable
product, your life is even more complicated. You may choose to discreetly
inform them that a vulnerability has been discovered and that they should
consider upgrading. That is an ethical and responsible course of action,
but it may violate your other customer's trust. Hence, discretion.
Once your customers are taken care of, you can look at responsible
disclosure avenues. But I would implore that as long as the vendor commits
to releasing a patch or notifying their customers that you don't do
something to sabotage their efforts like releasing an exploit or even a
detailed advisory before they've had a chance to handle it.
Which reminds me, if the currently undisclosed nature of this vulnerability
is allowing your customers to consider not acting, then you need to press
harder. My experience has taught me that responsible vulnerability
disclosure is a thankless job. Customers are confused, vendors are angry,
and more often than not, there is no glory for you as someone else will
discover and disclose the same vulnerability before you're done handling it
the correct way.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/