Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Question about ethics when discovering a security fault in system
From: Jeremy Bishop <requiem () praetor org>
Date: Thu, 27 Oct 2005 11:51:09 -0700

On Thursday 27 October 2005 11:28, Torbjörn Samuelsson wrote:

I stumbled upon a security fault (discovered it by mistake) this
Sunday in a perimeter security device.
The day after I contacted the manufacturer and informed them about it
and later that evening the acknowledged the problem and they where
able to reproduce it.

This sounds like a decent response time.  Was it a "we looked into this 
and it seems you are correct" response that you received, or something 
closer to "yeah, we already know about that and don't really care"?

My question is what is good ethics for me to continue with this?

What I want a resolution so the device we bought to provide us with
remote access and security shall work securely and that the company

So, you are also a customer?  This gives you excellent grounds for 
asking how the company plans to correct this flaw.  Since it seems 
their initial response was both prompt and favorable, it's likely that 
some sort of update will be made available.  Your responsibility is to 
find a way to mitigate the current risk to your company until a fix is 
in place.  This usually includes allowing some time for the company to 
produce such a fix.  Going immediately public with the flaw is less 
than polite to the company, and will also jeopardize your own company.  
(I.e. People will now not only about the flaw, but about someone who is 
vulnerable to it: you.)

shall inform other owner of there products about the problem so they
wont have the same security breach.

It is possible that the company may do this on their own.  You don't 
have a responsibility to their other customers, only a more generalized 
responsibility to the community.  Custom on this list is that the 
vulnerability is revealed after a reasonable time.  "Reasonable" is a 
balance between allowing the vendor to produce a fix (so that when the 
problem is announced, people aren't needlessly exposed) and alerting 
the community to a problem (because it's likely someone else already 
knows about the problem, and is exploiting it).


...would you work for a company that couldn't tell the difference in
quality of its employees' normal work product and the work product of
someone on drugs without performing a test?
              -- socks
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]