[35231] in bugtraq
RE: Question About Ethics and Full Disclosure
daemon@ATHENA.MIT.EDU (Syste Op)
Thu Jun 10 19:57:17 2004
From: "Syste Op" <sysop5@hotmail.com>
To: jsklein@mindspring.com
Cc: bugtraq@securityfocus.com, security-basics@securityfocus.com,
vuln-dev@securityfocus.com, webappsec@securityfocus.com
Date: Thu, 10 Jun 2004 12:59:53 -0400
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <BAY12-F58UkFzsI4Kse000570cd@hotmail.com>
That's a good way of doing it. I think it would be better to shorten the
period of time from 1-9 months to 1-5. When you're reporting a
vulnerability, you should try and report the fix for it too. In my opinion,
exploit code should be posted a few weeks after the vulnerability has been
reported to ensure that the company works on a fix.
-OptiKal Mouse
>From: "Joe Klein" <jsklein@mindspring.com>
>Reply-To: <jsklein@mindspring.com>
>To: "'Kevin E. Casey'" <kcasey@nanoweb.com>,<tommy@providesecurity.com>,
><frogman@infosecwar.net>
>CC: <bugtraq@securityfocus.com>,
><security-basics@securityfocus.com>,<vuln-dev@securityfocus.com>,
><webappsec@securityfocus.com>
>Subject: RE: Question About Ethics and Full Disclosure
>Date: Wed, 9 Jun 2004 08:11:48 -0500
>MIME-Version: 1.0
>Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
>mc6-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 9 Jun 2004
>17:14:24 -0700
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid
>60A49143AF0; Wed, 9 Jun 2004 20:17:34 -0600 (MDT)
>Received: (qmail 25671 invoked from network); 9 Jun 2004 07:00:52 -0000
>X-Message-Info: JGTYoYF78jGL48EpGnia7jun7YIUh0SR
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Message-ID: <003f01c44e23$53e36590$6401a8c0@nsaifly>
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook, Build 10.0.2627
>In-Reply-To:
><96B5E0E83D6A07428B6CDB8775AB9FBA277007@domain01.nanonaples.com>
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Return-Path: bugtraq-return-14677-sysop5=hotmail.com@securityfocus.com
>X-OriginalArrivalTime: 10 Jun 2004 00:14:24.0217 (UTC)
>FILETIME=[E290CC90:01C44E7F]
>
>Below is an outline for my disclosure process.
>
>
>Vulnerability Found:
>
>1. E-Mail & Call company about finding
> - Document vulnerability
> - Document date/time/who you talked to.
> - Provide an 'ethical disclosure' reporting deadline
> - one to nine months, depending on the vulnerability
> - Inform them you will be reporting them to www.cert.org and
>www.us-cert.gov
>
>2. Report Vulnerability to:
> A. www.cert.org :
>http://www.cert.org/reporting/vulnerability_form.txt
> B. www.us-cert.gov : cert@cert.org
>
>----
>Vulnerability is addressed - day upgrade/patch is released
>
>1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
>----
>Vulnerability not addressed - one to nine months
>
>1. E-Mail & Call company
> - Documentation of vulnerability
> - Documentation of your due diligence
> - reporting communication to/from company
> - reporting to cert.org and us-cert.gov
> - Provide date of disclosure
>
>Day of Disclosure:
>
>1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
>
>Opinions?
>
>
>
>-----Original Message-----
>From: Kevin E. Casey [mailto:kcasey@nanoweb.com]
>Sent: Thursday, May 20, 2004 4:31 PM
>To: tommy@providesecurity.com; frogman@infosecwar.net
>Cc: bugtraq@securityfocus.com; security-basics@securityfocus.com;
>vuln-dev@securityfocus.com; webappsec@securityfocus.com
>Subject: RE: Question About Ethics and Full Disclosure
>
>
>Try calling the sales department for the shopping cart vendor. Tell
>them you hard about the 2 vulnerabilities, thll them that when they are
>fixed, you might perhaps buy their product... Sales motivates
>development... Or at the least might get you to a person at the vendor
>who cares.
>
>-----Original Message-----
>From: Tom [mailto:tommy@providesecurity.com]
>Sent: Thursday, May 20, 2004 3:43 PM
>To: frogman@infosecwar.net
>Cc: bugtraq@securityfocus.com; security-basics@securityfocus.com;
>vuln-dev@securityfocus.com; webappsec@securityfocus.com
>Subject: Question About Ethics and Full Disclosure
>
>
>I have sat on 2 vulnerabilities for a shopping cart for over a year and
>nothing has changed. Now I have found a 3rd with new services added to
>this shopping cart.
>
>I have emailed support several times but NEVER get a response. As a
>security professional and not to be Unethical what would be a
>recommended path to follow?
>
>* Notify their customers (several 100)
>* Notify the Payment Gateways they are Authorized to use (VeriSign,
>PayPal, Authorize.NET)
>* Be a total A** and just release it to all the mailing lists and at
>DEFCON
>
>BTW...I have sent several emails to various parts of VeriSign and NOBODY
>has responded as to the proper person to notify within the organization
>about this. I chose VeriSign because this cart is at the Top of Their
>List!
>
>IF anyone knows who to contact from VeriSign, authorize.net and PayPal
>about this please email me directly.
>
>Thanks,
>
>Tom Ryan
><< JosephSKlein(jsklein@mindspring.com)(jsklein@mindspring.com).vcf >>
_________________________________________________________________
Get fast, reliable Internet access with MSN 9 Dial-up – now 3 months FREE!
http://join.msn.click-url.com/go/onm00200361ave/direct/01/
