Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Question about ethics when discovering a security fault in system
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Thu, 27 Oct 2005 16:46:08 -0400

My question is what is good ethics for me to continue with this? Sense I discovered it by mistake, and everyone can do the same thing and everyone can reproduce it. And it is a perimeter security device providing remote access from a large manufacturer. And might be a known problem by others than the manufacturer, how ever the product has only bean on the market for about 2 months.

You write up your advisory, like many that you see here, without revealing the details of the exploit.

What I want a resolution so the device we bought to provide us with remote access and security shall work securely and that the company shall inform other owner of there products about the problem so they wont have the same security breach.

Standard practice is to give the vendor a reasonable amount of time to respond. (exact value of that depends on the person .. I'd say ~30 days is average .. but some will wait until some number of days AFTER a patch is released) -- then you release a modified version of your advisory with the exploit details.

Sure .. others might discover it "by accident" .. but security researchers that do that aren't the folks that'd write worms or go hacking about. It's the scriptkiddies that read PoC code on FD and elsewhere that do. Write the advisory (claim your credit of discovery), leave out the gory details, and wait for the vendor (reasonably).

Sometimes you've got to nail them with PoC code to get the fire lit .. but usually they don't like getting embarassed that way.


Michael Holstein CISSP GCIA
Cleveland State University
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]