Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: To disclose or not to disclose
From: Simon Smith <simon () snosoft com>
Date: Sat, 27 Sep 2008 23:01:08 -0400

Elazar,
        I suppose that could be a good action, but doing that would potentially
put the security companies customer at risk. Granted, in the argument
they were already notified of the risk. So the question is, is that the
ethical choice? Is that a good business choice?


Elazar Broad wrote:
I would opt for #1, additionally, contacting CERT and other quasi-
government security organizations would be a plus, they might have
better luck lighting a fire under the theoretical vendors ass...

elazar

On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith <simon () snosoft com>
wrote:
Greetings,
     I have a theoretical question of ethics for other security
professionals that participate in this list. This is not an actual
situation, but it is a potentially realistic situation that I'm
interested in exploring and finding an acceptable solution to.

     Supposed a penetration testing company delivers a service to a
customer. That customer uses a technology that was created by a
third
party to host a critical component of their infrastructure. The
penetration testing company identifies several critical flaws in
the
technology and notifies the customer, and the vendor.

     One year passes and the vendor had done nothing to fix the issue.
The
customer is still vulnerable and they have done nothing to change
their
level of risk and exposure. In fact, lets say that the vendor flat
out
refuses to do anything about the issue even though they have been
notified of the problem. Lets also assume that this issue affects
thousands of customers in the financial and medical industry and
puts
them at dire risk.

     What should the security company do?

1-) Create a formal advisory, contact the vendor and notify them
of the
intent to release the advisory in a period of "n" days? If the
vendor
refuses to fix the issue does the security company still release
the
advisory in "n" days? Is that protecting the customer or putting
the
customer at risk? Or does it even change the risk level as their
risk
still exists.

2-) Does the security company collect a list of users of the
technology
and notify those users one by one? The process might be very time
consuming but by doing that the security company might not
increase the
risk faced by the users of the technology, will they?

3-) Does the security company release a low level advisory that
notifies
users of the technology to contact the vendor in order to gain
access to
the technical details about the issue?

4-) Does the security company do something else? If so, what is
the
appropriate course of action?

5-) Does the security company do nothing?

I'm very interested to hear what people thin the "responsible"
action
would be here. It appears that this is a challenge that will at
some
level create risk for the customer. Is it impossible to do this
without
creating an unacceptable level of risk?

Looking forward to real responses (and troll responses too...
especially
n3td3v).

--

- simon

----------------------
http://www.snosoft.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
Self Storage Options - Click Here.
http://tagline.hushmail.com/fc/Ioyw6h4eNgR1BRhFB3CXCR61VEtfAqJ45ZV34qDMKcjsXBCGM0kWG5/



-- 

- simon

----------------------
http://www.snosoft.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault