Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: To disclose or not to disclose
From: AaRoNg11 <aarong11 () gmail com>
Date: Sat, 27 Sep 2008 22:07:56 +0100

Well, if you've already warned your client that their software is vulnerable
and they haven't changed to an alternative, then it's fine to release an
advisory with all of the details.

I really don't understand why they'd pay for a penetration test to not take
action if their software was vulnerable. If the vendor is extremely
unresponsive to any information, it may be the case that releasing the
technical details to the public are the only way to get them to take notice.
Just think, you might not be the only person who has found out about the
exploit. There might be some black hat hacker somewhere using it to meet
their own ends. Some vendors are just like that though; they refuse to do
anything until it's too late. Maybe they'll start taking notice of bug
reports after this happening a few times and losing half of their clients.

On Sat, Sep 27, 2008 at 6:25 PM, Simon Smith <simon () snosoft com> wrote:

Great replies guys!

       So lets take this a step further. Lets suppose (again just theory)
the security company did notify the software vendor and did tell the
vendor where the security issues were in their technology, how to
exploit the issues, provided a proof of concept, and provided clear and
actionable methods for remediation. Lets then say that the software
vendor flat out, point blank, rejected that information and refused to
implement any fixes.

       Just to make this more interesting, lets say that this all happened
over one year ago. Lets also say that the customer who was being tested
by the security company and that is using the vulnerable software has
yet to address the vulnerability in their own network too.

       Is it the ethical duity of the security company to release an
Does that advisory put the customer at risk? It is clearly unethical to
do nothing and to leave everyone else at risk. How to proceed?


- simon


Aaron Goulden
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]