I would opt for #1, additionally, contacting CERT and other quasi-
government security organizations would be a plus, they might have
better luck lighting a fire under the theoretical vendors ass...
On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith <simon () snosoft com>
I have a theoretical question of ethics for other security
professionals that participate in this list. This is not an actual
situation, but it is a potentially realistic situation that I'm
interested in exploring and finding an acceptable solution to.
Supposed a penetration testing company delivers a service to a
customer. That customer uses a technology that was created by a
party to host a critical component of their infrastructure. The
penetration testing company identifies several critical flaws in
technology and notifies the customer, and the vendor.
One year passes and the vendor had done nothing to fix the issue.
customer is still vulnerable and they have done nothing to change
level of risk and exposure. In fact, lets say that the vendor flat
refuses to do anything about the issue even though they have been
notified of the problem. Lets also assume that this issue affects
thousands of customers in the financial and medical industry and
them at dire risk.
What should the security company do?
1-) Create a formal advisory, contact the vendor and notify them
intent to release the advisory in a period of "n" days? If the
refuses to fix the issue does the security company still release
advisory in "n" days? Is that protecting the customer or putting
customer at risk? Or does it even change the risk level as their
2-) Does the security company collect a list of users of the
and notify those users one by one? The process might be very time
consuming but by doing that the security company might not
risk faced by the users of the technology, will they?
3-) Does the security company release a low level advisory that
users of the technology to contact the vendor in order to gain
the technical details about the issue?
4-) Does the security company do something else? If so, what is
appropriate course of action?
5-) Does the security company do nothing?
I'm very interested to hear what people thin the "responsible"
would be here. It appears that this is a challenge that will at
level create risk for the customer. Is it impossible to do this
creating an unacceptable level of risk?
Looking forward to real responses (and troll responses too...
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/