Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

How NOT to respond to vulnerability reports
From: Sam Johnston <samj () samj net>
Date: Wed, 9 Nov 2011 20:27:10 +0100

Apologies again for the HTML — too many inline links for text. I'd probably
leave these guys alone were it not for stuff like
this<http://www.enomaly.com/High-Assurance-E.484.0.html>
:

"*With Enomaly’s patented security functionality, a service provider can
deliver a unique, high security Cloud Computing service – commanding a
higher price point than commodity public cloud providers.*"

Enjoy.

Sam
How NOT to respond to vulnerability
reports<http://samj.net/2011/11/how-not-to-respond-to-vulnerability.html>
  <http://memegenerator.net/instance/11298030>

Reuven Cohen <http://www.elasticvapor.com/> and the guys at
Enomaly<http://www.enomaly.com/>could write the book on how NOT to
respond to vulnerability reports:

   1. Don't disavow
vulnerabilities<https://twitter.com/#%21/ruv/status/133221009342992384>in
products you've previously
   taken<http://www.elasticvapor.com/2008/04/enomaly-launches-giftagcom-for-bestbuyg.html>
   credit<http://www.elasticvapor.com/2008/09/bestbuys-giftagcom-getting-some-press.html>for
   2. Don't claim issues are not
valid<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>while
denying researchers a right of reply
   3. Don't claim obvious issues are "unactionably
vague<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>"
   and then ignore them, even after a working exploit is publicly
available<http://samj.net/2011/10/sploitcloud.html>
   4. Don't claim trivial remote root exploits are "theoretically valid but
   extremely difficult to
exploit<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>
   "
   5. Don't claim it's ok to rely
on<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>security
by obscurity or race conditions
   6. Don't turn on
moderation<http://groups.google.com/group/spotcloudbuyers/about>because
a researcher posts a vulnerability
   report<http://groups.google.com/group/spotcloudbuyers/msg/a1e010147241298e>to
your lists
   7. Don't subsequently ban a researcher from your
lists<http://1.bp.blogspot.com/-Kbx1w50mK_g/Trp0D54k9LI/AAAAAAAAAYs/ZZ0tIMoPLZE/s1600/spotcloud-banned.png>because
they tried to notify your users when you failed to
   8. Don't claim that security vulnerabilities are
ok<http://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>because
there have been "
   *no reports of any security compromise*"
   9. Don't claim<http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html>"
   *other mitigating factors that have been present in the environment from
   the beginning*" when the vulnerability has already been demonstrated
   10. Don't ask for private notification of
vulnerabilities<http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html>only
to then ignore/dispute them
   11. Don't publicly call researchers
unethical<http://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>for
opting for full
   disclosure <http://en.wikipedia.org/wiki/Full_disclosure>,
   especially when they do so because you have been reticent and unresponsive
   in the past
   12. Don't release ineffective
fixes<http://seclists.org/bugtraq/2009/Feb/142>,
   especially when the researcher has told you exactly how to fix it
   13. Don't dispute the
vulnerability<http://samj.net/2010/02/private-cloud-security-is-no-security.html>when
a clearinghouse like
   Secunia <http://secunia.com/> contacts you to verify it
   14. Don't criticise
researchers<http://twitter.com/ruv/status/8623995916>for reviewing
your product
   15. Don't shoot the
messenger<http://www.elasticvapor.com/2008/11/v-for-vendetta.html>
   16. Don't downplay critical
vulnerabilities<http://www.elasticvapor.com/2008/11/v-for-vendetta.html>
as
   "*relatively minor*", "random" paths as "*pretty hard to guess*", etc.
   17. Don't send in board
members<http://samj.net/2010/02/private-cloud-security-is-no-security.html?showComment=1265232836593#c6024067410560428601>to
fight your battles
   18. Don't claim new
products<http://samj.net/2010/02/private-cloud-security-is-no-security.html?showComment=1265232836593#c6024067410560428601>
having
   "*significant new and enhanced functionality*" is a valid excuse
   19. Don't make security
claims<http://www.enomaly.com/High-Assurance-E.484.0.html>like "High
Assurance" if you're not going to take security seriously
   20. Don't claim <https://spotcloud.appspot.com/terms> that "*Enomaly
   shall be entitled to (i) suspend or de-activate your account without
   notice, and (ii) retain any remaining funds in your account*", and
definitely
   don't actually do
it<http://3.bp.blogspot.com/-DMDtb1nYaew/Trp15BD8MiI/AAAAAAAAAY0/yCmWSKKOsZo/s1600/spotcloud-suspended.png>
   .

 After my recent SploitCloud: exploiting cloud brokers for fun and
profit<http://samj.net/2011/10/sploitcloud.html>article and the
follow-up Retro
vulnerability of the day: cleartext passwords over the
wire<http://samj.net/2011/11/retro-vulnerability-of-day-cleartext.html>you'd
have thought the publicly demonstrated vulnerabilities would have
been quietly fixed and we'd have moved on. But no — they've decided instead
to suspend my Spotcloud <http://www.spotcloud.com/> account so as I can't
find any more holes, *keeping funds they were holding in trust for payment
to third-party providers as "compensation"* — something I'm more inclined
to refer to as "theft":
 <http://3.bp.blogspot.com/-DMDtb1nYaew/Trp15BD8MiI/AAAAAAAAAY0/yCmWSKKOsZo/s1600/spotcloud-suspended.png>

Enomaly have also not only failed to notify Spotcloud
buyers<http://groups.google.com/group/spotcloudbuyers>and
sellers <http://groups.google.com/group/spotcloudsellers> that they are
vulnerable themselves, but moderated (e.g. deleted) my notification to them
and banned me from the lists in the process:
 <http://1.bp.blogspot.com/-Kbx1w50mK_g/Trp0D54k9LI/AAAAAAAAAYs/ZZ0tIMoPLZE/s1600/spotcloud-banned.png>

 If I were one of the (apparently few) users of the Spotcloud service then
I'd be extremely dissatisfied, to say the least, that this information was
being actively concealed from me. At the end of the day you owe it to
yourselves and your users to only ever work with providers who take
security seriously.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • How NOT to respond to vulnerability reports Sam Johnston (Nov 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]