mailing list archives
Re: Question about ethics when discovering a security fault in system
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Thu, 27 Oct 2005 16:46:08 -0400
My question is what is good ethics for me to continue with this? Sense I
discovered it by mistake, and everyone can do the same thing and
everyone can reproduce it. And it is a perimeter security device
providing remote access from a large manufacturer. And might be a known
problem by others than the manufacturer, how ever the product has only
bean on the market for about 2 months.
You write up your advisory, like many that you see here, without
revealing the details of the exploit.
What I want a resolution so the device we bought to provide us with
remote access and security shall work securely and that the company
shall inform other owner of there products about the problem so they
wont have the same security breach.
Standard practice is to give the vendor a reasonable amount of time to
respond. (exact value of that depends on the person .. I'd say ~30 days
is average .. but some will wait until some number of days AFTER a patch
is released) -- then you release a modified version of your advisory
with the exploit details.
Sure .. others might discover it "by accident" .. but security
researchers that do that aren't the folks that'd write worms or go
hacking about. It's the scriptkiddies that read PoC code on FD and
elsewhere that do. Write the advisory (claim your credit of discovery),
leave out the gory details, and wait for the vendor (reasonably).
Sometimes you've got to nail them with PoC code to get the fire lit ..
but usually they don't like getting embarassed that way.
Michael Holstein CISSP GCIA
Cleveland State University
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/