Regarding the ethics of demanding money for vulnerability information: In most modern industrialized nations, asking a vendor to pay for the details of a security vulnerability is both unethical, and is or should be criminal extortion of both the vendor, and by extension, the vendor's customers. However, after many years of working in the security industry, I've come to realize that in many parts of the world, including some economically advanced Asian nations, this kind of activity is considered either acceptable or is tolerated to a greater or lesser extent. This is by no means an excuse for the behavior, I only mention it so that you don't jump to any conclusions about an intent or malice that this individual may or may not have for your firm. There are a number of things that can be done when these kinds of things happen, but first and foremost you should take notice of two things: you have been notified of a potential hole in your customer's networks and also, frankly, a potential public relations liability for your firm. Because of this you should try to stay to see if you can convince this person to do the right thing and provide you with the information. Do not give in to demands for money under any circumstances. One strategy in these cases is to turn the tables on such a person by telling them that you intend to make their identity public and state the truth about them, which is that they are attempting to hold an ethical firm and its customers hostage for cash. If the individual is reluctant to provide the details, consider demanding that he or she provide some proof of the vulnerability's existence, either through partial technical details or a live exploit demonstration; then try to use these details to determine the nature of what has been found. It's a generally accepted practice to give credit to people outside of a firm for reporting a security vulnerability in a responsible manner, perhaps this person would accept such public credit as a career boost in leui of a ransom. As a last resort, consider contacting law enforcement or the NIPC (www.nipc.gov). In the event that none of the above works, you can at least truthfully tell your customers that you made a best effort to address the issue. -Josh http://www.mobile-secure.com/ On Wed, 16 Jul 2003, Jay D. Dyson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, 16 Jul 2003, Talley, Brooks wrote: > > > My company recently received a communication from someone purporting to > > know of a security vulnerability in our web application. The individual > > stated that they would sign an NDA and report the details of the > > vulnerability to us if we paid his "consulting fee" and provided future > > services to him at no cost. > > Call me unruly, but that sounds like extortion to me. Indeed, > it's all too akin to someone knocking on your door and claiming they've > found a way to steal your car...but if you'll give them free rides around > town, they'll keep it quiet. > > > Is that kind of demand for payment for reporting a vulnerability at all > > the norm? > > No, this is _not_ the norm. If anything, it's unethical. In some > circles, it's considered illegal. There have been a few people who've > been pinched by law enforcement for such "offers." > > Bottom line: you didn't hire this individual to audit your > applications, so he's out of line asking for compensation. > > - -Jay > > ( ( _______ > )) )) .-"There's always time for a good cup of coffee"-. >====<--. > C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | = |-' > `--' `--' `Red meat isn't bad for you, fuzzy green meat is.' `------' > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE/FdAcNlg1oZSC9mkRApDZAJ9+HllVA5MHP/3kaOg9n7aXe2CQPgCePlun > y0c2+VQ9klvbfd5yMs90nvA= > =pJOm > -----END PGP SIGNATURE----- >
