mailing list archives
Re: Question about ethics when discovering a security fault in system
From: Jeremy Bishop <requiem () praetor org>
Date: Thu, 27 Oct 2005 11:51:09 -0700
On Thursday 27 October 2005 11:28, Torbjörn Samuelsson wrote:
I stumbled upon a security fault (discovered it by mistake) this
Sunday in a perimeter security device.
The day after I contacted the manufacturer and informed them about it
and later that evening the acknowledged the problem and they where
able to reproduce it.
This sounds like a decent response time. Was it a "we looked into this
and it seems you are correct" response that you received, or something
closer to "yeah, we already know about that and don't really care"?
My question is what is good ethics for me to continue with this?
What I want a resolution so the device we bought to provide us with
remote access and security shall work securely and that the company
So, you are also a customer? This gives you excellent grounds for
asking how the company plans to correct this flaw. Since it seems
their initial response was both prompt and favorable, it's likely that
some sort of update will be made available. Your responsibility is to
find a way to mitigate the current risk to your company until a fix is
in place. This usually includes allowing some time for the company to
produce such a fix. Going immediately public with the flaw is less
than polite to the company, and will also jeopardize your own company.
(I.e. People will now not only about the flaw, but about someone who is
vulnerable to it: you.)
shall inform other owner of there products about the problem so they
wont have the same security breach.
It is possible that the company may do this on their own. You don't
have a responsibility to their other customers, only a more generalized
responsibility to the community. Custom on this list is that the
vulnerability is revealed after a reasonable time. "Reasonable" is a
balance between allowing the vendor to produce a fix (so that when the
problem is announced, people aren't needlessly exposed) and alerting
the community to a problem (because it's likely someone else already
knows about the problem, and is exploiting it).
...would you work for a company that couldn't tell the difference in
quality of its employees' normal work product and the work product of
someone on drugs without performing a test?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/