Home page logo

fulldisclosure logo Full Disclosure mailing list archives

How NOT to respond to vulnerability reports
From: Sam Johnston <samj () samj net>
Date: Wed, 9 Nov 2011 20:27:10 +0100

Apologies again for the HTML — too many inline links for text. I'd probably
leave these guys alone were it not for stuff like

"*With Enomaly’s patented security functionality, a service provider can
deliver a unique, high security Cloud Computing service – commanding a
higher price point than commodity public cloud providers.*"


How NOT to respond to vulnerability

Reuven Cohen <http://www.elasticvapor.com/> and the guys at
Enomaly<http://www.enomaly.com/>could write the book on how NOT to
respond to vulnerability reports:

   1. Don't disavow
products you've previously
   2. Don't claim issues are not
denying researchers a right of reply
   3. Don't claim obvious issues are "unactionably
   and then ignore them, even after a working exploit is publicly
   4. Don't claim trivial remote root exploits are "theoretically valid but
   extremely difficult to
   5. Don't claim it's ok to rely
by obscurity or race conditions
   6. Don't turn on
a researcher posts a vulnerability
your lists
   7. Don't subsequently ban a researcher from your
they tried to notify your users when you failed to
   8. Don't claim that security vulnerabilities are
there have been "
   *no reports of any security compromise*"
   9. Don't claim<http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html>"
   *other mitigating factors that have been present in the environment from
   the beginning*" when the vulnerability has already been demonstrated
   10. Don't ask for private notification of
to then ignore/dispute them
   11. Don't publicly call researchers
opting for full
   disclosure <http://en.wikipedia.org/wiki/Full_disclosure>,
   especially when they do so because you have been reticent and unresponsive
   in the past
   12. Don't release ineffective
   especially when the researcher has told you exactly how to fix it
   13. Don't dispute the
a clearinghouse like
   Secunia <http://secunia.com/> contacts you to verify it
   14. Don't criticise
researchers<http://twitter.com/ruv/status/8623995916>for reviewing
your product
   15. Don't shoot the
   16. Don't downplay critical
   "*relatively minor*", "random" paths as "*pretty hard to guess*", etc.
   17. Don't send in board
fight your battles
   18. Don't claim new
   "*significant new and enhanced functionality*" is a valid excuse
   19. Don't make security
claims<http://www.enomaly.com/High-Assurance-E.484.0.html>like "High
Assurance" if you're not going to take security seriously
   20. Don't claim <https://spotcloud.appspot.com/terms> that "*Enomaly
   shall be entitled to (i) suspend or de-activate your account without
   notice, and (ii) retain any remaining funds in your account*", and
   don't actually do

 After my recent SploitCloud: exploiting cloud brokers for fun and
profit<http://samj.net/2011/10/sploitcloud.html>article and the
follow-up Retro
vulnerability of the day: cleartext passwords over the
have thought the publicly demonstrated vulnerabilities would have
been quietly fixed and we'd have moved on. But no — they've decided instead
to suspend my Spotcloud <http://www.spotcloud.com/> account so as I can't
find any more holes, *keeping funds they were holding in trust for payment
to third-party providers as "compensation"* — something I'm more inclined
to refer to as "theft":

Enomaly have also not only failed to notify Spotcloud
sellers <http://groups.google.com/group/spotcloudsellers> that they are
vulnerable themselves, but moderated (e.g. deleted) my notification to them
and banned me from the lists in the process:

 If I were one of the (apparently few) users of the Spotcloud service then
I'd be extremely dissatisfied, to say the least, that this information was
being actively concealed from me. At the end of the day you owe it to
yourselves and your users to only ever work with providers who take
security seriously.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • How NOT to respond to vulnerability reports Sam Johnston (Nov 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]