Dear DAN MORRILL, --Wednesday, July 27, 2005, 10:08:12 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx: DM> I got the official notice from SPI Dynamics to day on this issue. I am in no DM> way slamming people at all, but the interesting response was inability to DM> reproduce the XAS issue. SPI Dynamics already published advisory on this issue and fixed this vulnerability, at least partially. Revisions: V1.0 (July 27, 2005): Internal Release V1.1 (July 28, 2005): Bulletin published Full disclosure effectiveness is proved again. Vulnerability known since April was fixed in 2 days. DM> Just a curiosity question based on the idea that we are all out there DM> discovering things, that we will or will not give up to folks depending on DM> what we discover. Its the inability to reproduce the issue that interests me DM> the most, and what as a community should we do when no one else can verify DM> our results? Well out side of providing POC code, that may or may not work. According to reporter vendor was provided with 1. Problem description 2. PoC code 3. Screenshot 4. Example of the generated report. You can find it on http://www.security.nnov.ru/Fnews30.html Last (unreplied) message sent to vendor was -=-=-=-=-=-=-= begin quote =-=-=-=-=-=-=- Sent: Wednesday, April 20, 2005 3:05 AM To: Sam Shober Subject: RE: [CAS-01370] SPI Dynamics WebInspect Cross-Application Scripting (XAS) Inline. >Opening the scan data you sent on a default install of WebInspect 5.0.196 >shows how you are able to execute JavaScript in the report view and reload >the vulnerability.htm. It's ok. This is a task of the PoC. -=-=-=-=-=-=-= end quote =-=-=-=-=-=-=- As you can see, security company representative was able to reproduce problem, but failed to understand what is XAS (and probably what is PoC) and how it affects security related product's security. I agree with reporter he did everything to make vendor to fix problem. Should we also educate support staff of the company on how to handle security alerts? This time full disclosure before vendor fix was _only_ solution and it was quite effective. Now, SPI Dynamics published e-mail for security alerts and probably this e-mail will be monitored by more qualified staff in future. Making benefits from the faults is best company can do in this case. Customers of SPI Dynamics can feel themselves more secure. Isn't it good? There are many interesting things about vulnerability disclosure. Vendor coordination is not only. Of cause, standard in this area is required, RFPolicy is good, but it has no force. Another problem with disclosure is information rights. You may like it or not, vulnerability information has it's price and this price is high. It's not clear for vulnerability researcher how he can use his rights for this information and how these rights affect product vendor and his rights. I feel we will have many problem with this in future. -- ~/ZARAZA http://www.security.nnov.ru/
