[35244] in bugtraq
Re: Question About Ethics and Full Disclosure
daemon@ATHENA.MIT.EDU (Stefan de Bruijn)
Fri Jun 11 09:15:26 2004
Message-ID: <40C79331.90509@student.utwente.nl>
Date: Thu, 10 Jun 2004 00:46:09 +0200
From: Stefan de Bruijn <s.t.j.debruijn@student.utwente.nl>
MIME-Version: 1.0
To: jsklein@mindspring.com, bugtraq@securityfocus.com
Cc: tommy@providesecurity.com, frogman@infosecwar.net
In-Reply-To: <003f01c44e23$53e36590$6401a8c0@nsaifly>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Just my 2 cents - why reporting it to US-CERT as an exceptional "US"-case? I
really don't see why US should exclusively be informed about all disclosures of
vulnerabilities; not to mention the fact that I trust CERT to be reporting the
disclosures to them if they find that action appropriate.
Greetings,
Stefan de Bruijn.
Joe Klein wrote:
> Below is an outline for my disclosure process.
>
>
> Vulnerability Found:
>
> 1. E-Mail & Call company about finding
> - Document vulnerability
> - Document date/time/who you talked to.
> - Provide an 'ethical disclosure' reporting deadline
> - one to nine months, depending on the vulnerability
> - Inform them you will be reporting them to www.cert.org and
> www.us-cert.gov
>
> 2. Report Vulnerability to:
> A. www.cert.org :
> http://www.cert.org/reporting/vulnerability_form.txt
> B. www.us-cert.gov : cert@cert.org
>
> ----
> Vulnerability is addressed - day upgrade/patch is released
>
> 1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
> ----
> Vulnerability not addressed - one to nine months
>
> 1. E-Mail & Call company
> - Documentation of vulnerability
> - Documentation of your due diligence
> - reporting communication to/from company
> - reporting to cert.org and us-cert.gov
> - Provide date of disclosure
>
> Day of Disclosure:
>
> 1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
>
> Opinions?
>
>
>
> -----Original Message-----
> From: Kevin E. Casey [mailto:kcasey@nanoweb.com]
> Sent: Thursday, May 20, 2004 4:31 PM
> To: tommy@providesecurity.com; frogman@infosecwar.net
> Cc: bugtraq@securityfocus.com; security-basics@securityfocus.com;
> vuln-dev@securityfocus.com; webappsec@securityfocus.com
> Subject: RE: Question About Ethics and Full Disclosure
>
>
> Try calling the sales department for the shopping cart vendor. Tell
> them you hard about the 2 vulnerabilities, thll them that when they are
> fixed, you might perhaps buy their product... Sales motivates
> development... Or at the least might get you to a person at the vendor
> who cares.
>
> -----Original Message-----
> From: Tom [mailto:tommy@providesecurity.com]
> Sent: Thursday, May 20, 2004 3:43 PM
> To: frogman@infosecwar.net
> Cc: bugtraq@securityfocus.com; security-basics@securityfocus.com;
> vuln-dev@securityfocus.com; webappsec@securityfocus.com
> Subject: Question About Ethics and Full Disclosure
>
>
> I have sat on 2 vulnerabilities for a shopping cart for over a year and
> nothing has changed. Now I have found a 3rd with new services added to
> this shopping cart.
>
> I have emailed support several times but NEVER get a response. As a
> security professional and not to be Unethical what would be a
> recommended path to follow?
>
> * Notify their customers (several 100)
> * Notify the Payment Gateways they are Authorized to use (VeriSign,
> PayPal, Authorize.NET)
> * Be a total A** and just release it to all the mailing lists and at
> DEFCON
>
> BTW...I have sent several emails to various parts of VeriSign and NOBODY
> has responded as to the proper person to notify within the organization
> about this. I chose VeriSign because this cart is at the Top of Their
> List!
>
> IF anyone knows who to contact from VeriSign, authorize.net and PayPal
> about this please email me directly.
>
> Thanks,
>
> Tom Ryan
--
Slapen is nuttig. Het zorgt er namelijk voor dat je niet meer hoeft te slapen -
en aangezien slapen compleet nutteloos is, is slapen dus een nuttige bezigheid.
