> -----Original Message----- > From: smcalearney@xxxxxxx [mailto:smcalearney@xxxxxxx] > Sent: Friday, January 12, 2007 9:08 AM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: seeking comments on disclosure articles > > > Vulnerability Disclosure: Where Do You Stand? I follow the RFP philosophy. Do a good gob verifying the problem, attempt to contact the vendor, ask them to respond in 5 days (not fix it in 5 days, respond) and if they don't, publish it. If I found it, someone else can. If a vendor then fixes it without coordinating a release, or does not give credit to the security researcher, then I say modify the next report to that vendor and tell them you are going to disclose in 5 days due to their not following the rules. I always put this at the top of the initial report to vendor: This advisory is being provided to you under the policy documented at http://www.wiretrip.net/rfp/policy.html. You are encouraged to read this policy; however, in the interim, you have approximately 5 days to respond to this initial email. This policy encourages open communication, and I look forward to working with you on resolving the problem detailed below. (Shawna, drop me a line and I can give you examples of major security companies that had problems with their own products, and not only did they gloss over the problem, but pretended they could not reproduce it, fixed it, didn't give the researcher credit, and have never sent a fixed copy for the researcher to verify) I don't think that undocumented, unsubstantiated claims do anyone any good. I don't think a security researcher should disclose a vulnerability without giving the vendor a chance to respond. If the vendor follow 'the rules' then further cooperation is encouraged. If a vendor pretends the problem will go away, then I say they don't deserve the warning. I can also think of another vendor of a VPN product that had huge gaping security holes (and the recommended installation straddled the firewall!). I was talked out of disclosure and found out that not only did they never fix the problem, but shortly after they were bought by another company. I don't know if the holes were ever fixed. At least one year later and that other company has not come out with a VPN. No, I think that if a vulnerability exists and isn't fixed, it should be disclosed. Hiding the problem doesn't help. Not disclosing vulnerabilities from vendors who refuse to fix their systems doesn't help. Bottom line: Our company policy, and first choice is to work with the vendor on a fix and a coordinated release of information. If that doesn't work, then public disclosure may be the only way to force them to take some responsibility for their products. http://www.secnap.com/aboutus.php?pg=4 -- Michael Scheidell, CTO SECNAP Network Security Corporation Web based Security and Privacy training: http://www.secnap.com/training ----------------------------------------------------------------- This email has been scanned and certified safe by SpammerTrap(tm) For Information please see http://www.spammertrap.com
