RE: Question About Ethics and Full Disclosure

["Syste Op" <sysop5@xxxxxxxxxxx>]

That's a good way of doing it. I think it would be better to shorten the 
period of time from 1-9 months to 1-5. When you're reporting a 
vulnerability, you should try and report the fix for it too. In my opinion, 
exploit code should be posted a few weeks after the vulnerability has been 
reported to ensure that the company works on a fix.
-OptiKal Mouse

> From: "Joe Klein" <jsklein@xxxxxxxxxxxxxx>
> Reply-To: <jsklein@xxxxxxxxxxxxxx>
> To: "'Kevin E. Casey'" <kcasey@xxxxxxxxxxx>,<tommy@xxxxxxxxxxxxxxxxxxx>, 
> <frogman@xxxxxxxxxxxxxx>
> CC: <bugtraq@xxxxxxxxxxxxxxxxx>, 
> <security-basics@xxxxxxxxxxxxxxxxx>,<vuln-dev@xxxxxxxxxxxxxxxxx>, 
> <webappsec@xxxxxxxxxxxxxxxxx>
> Subject: RE: Question About Ethics and Full Disclosure
> Date: Wed, 9 Jun 2004 08:11:48 -0500
> MIME-Version: 1.0
> Received: from outgoing2.securityfocus.com ([205.206.231.26]) by 
> mc6-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 9 Jun 2004 
> 17:14:24 -0700
> Received: from lists2.securityfocus.com (lists2.securityfocus.com 
> [205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid 
> 60A49143AF0; Wed,  9 Jun 2004 20:17:34 -0600 (MDT)
> Received: (qmail 25671 invoked from network); 9 Jun 2004 07:00:52 -0000
> X-Message-Info: JGTYoYF78jGL48EpGnia7jun7YIUh0SR
> Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
> List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
> List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
> Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
> Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
> Message-ID: <003f01c44e23$53e36590$6401a8c0@nsaifly>
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook, Build 10.0.2627
> In-Reply-To: 
> <96B5E0E83D6A07428B6CDB8775AB9FBA277007@xxxxxxxxxxxxxxxxxxxxxxx>
> X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> Return-Path: bugtraq-return-14677-sysop5=hotmail.com@xxxxxxxxxxxxxxxxx
> X-OriginalArrivalTime: 10 Jun 2004 00:14:24.0217 (UTC) 
> FILETIME=[E290CC90:01C44E7F]
>
> Below is an outline for my disclosure process.
>
>
> Vulnerability Found:
>
> 1. E-Mail & Call company about finding
> 	- Document vulnerability
> 	- Document date/time/who you talked to.
> 	- Provide an 'ethical disclosure' reporting deadline
> 		- one to nine months, depending on the vulnerability
> 	- Inform them you will be reporting them to www.cert.org and
> www.us-cert.gov
>
> 2. Report Vulnerability to:
> 	A. www.cert.org :
> http://www.cert.org/reporting/vulnerability_form.txt
> 	B. www.us-cert.gov : cert@xxxxxxxx
>
> ----
> Vulnerability is addressed - day upgrade/patch is released
>
> 1. Disclose to your favorite list/lists
> 	- Disclose your process
> 	- Disclose your due diligence
> 		- communication to/from company
> 		- posting to cert.org and us-cert.gov
> 	- Disclose the vulnerability
>
> ----
> Vulnerability not addressed - one to nine months
>
> 1. E-Mail & Call company
> 	- Documentation of vulnerability
> 	- Documentation of your due diligence
> 		- reporting communication to/from company
> 		- reporting to cert.org and us-cert.gov
> 	- Provide date of disclosure
>
> Day of Disclosure:
>
> 1. Disclose to your favorite list/lists
> 	- Disclose your process
> 	- Disclose your due diligence
> 		- communication to/from company
> 		- posting to cert.org and us-cert.gov
> 	- Disclose the vulnerability
>
>
> Opinions?
>
>
>
> -----Original Message-----
> From: Kevin E. Casey [mailto:kcasey@xxxxxxxxxxx]
> Sent: Thursday, May 20, 2004 4:31 PM
> To: tommy@xxxxxxxxxxxxxxxxxxx; frogman@xxxxxxxxxxxxxx
> Cc: bugtraq@xxxxxxxxxxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx;
> vuln-dev@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx
> Subject: RE: Question About Ethics and Full Disclosure
>
>
> Try calling the sales department for the shopping cart vendor.  Tell
> them you hard about the 2 vulnerabilities, thll them that when they are
> fixed, you might perhaps buy their product...  Sales motivates
> development... Or at the least might get you to a person at the vendor
> who cares.
>
> -----Original Message-----
> From: Tom [mailto:tommy@xxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, May 20, 2004 3:43 PM
> To: frogman@xxxxxxxxxxxxxx
> Cc: bugtraq@xxxxxxxxxxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx;
> vuln-dev@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx
> Subject: Question About Ethics and Full Disclosure
>
>
> I have sat on 2 vulnerabilities for a shopping cart for over a year and
> nothing has changed.  Now I have found a 3rd with new services added to
> this shopping cart.
>
> I have emailed support several times but NEVER get a response. As a
> security professional and not to be Unethical what would be a
> recommended path to follow?
>
> * Notify their customers (several 100)
> * Notify the Payment Gateways they are Authorized to use (VeriSign,
> PayPal, Authorize.NET)
> * Be a total A** and just release it to all the mailing lists and at
> DEFCON
>
> BTW...I have sent several emails to various parts of VeriSign and NOBODY
> has responded as to the proper person to notify within the organization
> about this. I chose VeriSign because this cart is at the Top of Their
> List!
>
> IF anyone knows who to contact from VeriSign, authorize.net and PayPal
> about this please email me directly.
>
> Thanks,
>
> Tom Ryan
> << JosephSKlein(jsklein@xxxxxxxxxxxxxx)(jsklein@xxxxxxxxxxxxxx).vcf >>

_________________________________________________________________
Get fast, reliable Internet access with MSN 9 Dial-up ? now 3 months FREE! 
http://join.msn.click-url.com/go/onm00200361ave/direct/01/