Home page logo

fulldisclosure logo Full Disclosure mailing list archives

To disclose or not to disclose
From: Simon Smith <simon () snosoft com>
Date: Fri, 26 Sep 2008 23:39:34 -0400

        I have a theoretical question of ethics for other security
professionals that participate in this list. This is not an actual
situation, but it is a potentially realistic situation that I'm
interested in exploring and finding an acceptable solution to.

        Supposed a penetration testing company delivers a service to a
customer. That customer uses a technology that was created by a third
party to host a critical component of their infrastructure. The
penetration testing company identifies several critical flaws in the
technology and notifies the customer, and the vendor.

        One year passes and the vendor had done nothing to fix the issue. The
customer is still vulnerable and they have done nothing to change their
level of risk and exposure. In fact, lets say that the vendor flat out
refuses to do anything about the issue even though they have been
notified of the problem. Lets also assume that this issue affects
thousands of customers in the financial and medical industry and puts
them at dire risk.

        What should the security company do?

1-) Create a formal advisory, contact the vendor and notify them of the
intent to release the advisory in a period of "n" days? If the vendor
refuses to fix the issue does the security company still release the
advisory in "n" days? Is that protecting the customer or putting the
customer at risk? Or does it even change the risk level as their risk
still exists.

2-) Does the security company collect a list of users of the technology
and notify those users one by one? The process might be very time
consuming but by doing that the security company might not increase the
risk faced by the users of the technology, will they?

3-) Does the security company release a low level advisory that notifies
users of the technology to contact the vendor in order to gain access to
the technical details about the issue?

4-) Does the security company do something else? If so, what is the
appropriate course of action?

5-) Does the security company do nothing?

I'm very interested to hear what people thin the "responsible" action
would be here. It appears that this is a challenge that will at some
level create risk for the customer. Is it impossible to do this without
creating an unacceptable level of risk?

Looking forward to real responses (and troll responses too... especially


- simon


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]