mailing list archives
Re: To disclose or not to disclose
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Date: Mon, 29 Sep 2008 08:14:43 +0200
On Fri, 26 Sep 2008 23:39:34 -0400, Simon Smith wrote:
1-) Create a formal advisory, contact the vendor and notify them of
the intent to release the advisory in a period of "n" days? If the
vendor refuses to fix the issue does the security company still
release the advisory in "n" days? Is that protecting the customer or
putting the customer at risk? Or does it even change the risk level
as their risk still exists.
Not good; this is usually interpreted as coercion by companies like
e.g. Cisco. I've seen cases where companies had all of their Cisco
accounts terminated because someone took this approach.
2-) Does the security company collect a list of users of the
technology and notify those users one by one? The process might be
very time consuming but by doing that the security company might not
increase the risk faced by the users of the technology, will they?
There's a better way to do this than to find every single user: become
a member of a local CERT, and have the issue discussed there, for
3-) Does the security company release a low level advisory that
notifies users of the technology to contact the vendor in order to
gain access to the technical details about the issue?
Do not nonymously release advisories for security issues the vendor has
not acknowledged! This is a straight road to trouble.
I'm very interested to hear what people thin the "responsible" action
would be here. It appears that this is a challenge that will at some
level create risk for the customer. Is it impossible to do this
without creating an unacceptable level of risk?
Sometimes other CERT members happen to have developer accounts for the
products in question, if such a thing exists. This allows you to create
a patch for the product and circulate it along with the advisory. This
minimizes the risk level for users of the product, of course.
Tel:+41 61 333 80 33 Güterstrasse 86
Fax:+41 61 383 14 67 4053 Basel
Web:www.sygroup.ch tonnerre.lombard () sygroup ch
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/