On Thu, 20 May 2004, Tom wrote:
> I have sat on 2 vulnerabilities for a shopping cart for over a year and
> nothing has changed. Now I have found a 3rd with new services added to
> this shopping cart. /.../
Security research and disclosure is hardly ever black or white. Just as
with any other kind of creative work, there are beneficial and malicious
uses or effects of every bit of information you discover, and endless
arguments can be fought over which of the aspects is predominant in what
disclosure scheme or business / research model. There is no truly
responsible disclosure or non-disclosure, it's just a question of lesser
evil, and there is and will be no consensus as to which is which.
As such, you cannot ask others to provide you a reasonable answer as to
the ethics - you have to seek it yourself and settle with an answer that
makes you feel comfortable. Be your own compass. We can only tell you what
the commonly accepted practice is, and whether the vendor can be
considered negligent for his handling (or lack thereof) of this issue. In
this particular case, the answer to the latter question is yes, assuming
you have made all reasonable attempts to contact them (phone, perhaps?).
Whenever dealing with a stubborn and nonresponsive commercial vendor with
no prior experience with security, you also need to take into account a
possible retaliatory action against you, even if you acted in the way you
considered most ethical. These attempts are generally unlikely to succeed
(don't bet on it, though), but may waste plenty of your time and wreck
your nerves.
> * Notify their customers (several 100)
You can easily upset the vendor, and have them sue you. Naturally, you may
have a point, but is it worth it? Besides, you'd be spamming, and this
venue is perhaps least professional, as it would appear you are pushing a
particular agenda to discredit the vendor.
> * Notify the Payment Gateways they are Authorized to use (VeriSign,
> PayPal, Authorize.NET)
Unlikely to cause any effect, really - they're happy as long as they're
making money.
> * Be a total A** and just release it to all the mailing lists and at
> DEFCON
Up to you, really. Exposing the fact they suck at security might be quite
beneficial for customers in the long run. On the other hand, you can
expect some fraud/abuse in the short term.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2004-05-21 00:06 --
http://lcamtuf.coredump.cx/photo/current/
