|Main Archive Page > Month Archives > full-disclosure-uk archives|
-----BEGIN PGP SIGNED MESSAGE-----
I would opt for #1, additionally, contacting CERT and other quasigovernment security organizations would be a plus, they might have better luck lighting a fire under the theoretical vendors ass...
On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith <email@example.com>
> I have a theoretical question of ethics for other security
>professionals that participate in this list. This is not an actual
>situation, but it is a potentially realistic situation that I'm
>interested in exploring and finding an acceptable solution to.
> Supposed a penetration testing company delivers a service to a
>customer. That customer uses a technology that was created by a
>party to host a critical component of their infrastructure. The
>penetration testing company identifies several critical flaws in
>technology and notifies the customer, and the vendor.
> One year passes and the vendor had done nothing to fix the issue.
>customer is still vulnerable and they have done nothing to change
>level of risk and exposure. In fact, lets say that the vendor flat
>refuses to do anything about the issue even though they have been
>notified of the problem. Lets also assume that this issue affects
>thousands of customers in the financial and medical industry and
>them at dire risk.
> What should the security company do?
>1-) Create a formal advisory, contact the vendor and notify them
>intent to release the advisory in a period of "n" days? If the
>refuses to fix the issue does the security company still release
>advisory in "n" days? Is that protecting the customer or putting
>customer at risk? Or does it even change the risk level as their
>2-) Does the security company collect a list of users of the
>and notify those users one by one? The process might be very time
>consuming but by doing that the security company might not
>risk faced by the users of the technology, will they?
>3-) Does the security company release a low level advisory that
>users of the technology to contact the vendor in order to gain
>the technical details about the issue?
>4-) Does the security company do something else? If so, what is
>appropriate course of action?
>5-) Does the security company do nothing?
>I'm very interested to hear what people thin the "responsible"
>would be here. It appears that this is a challenge that will at
>level create risk for the customer. Is it impossible to do this
>creating an unacceptable level of risk?
>Looking forward to real responses (and troll responses too...
>Full-Disclosure - We believe in it.
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
-----END PGP SIGNATURE----- -- Enhance your home's curb appeal with name brand shutters. Click now. http://tagline.hushmail.com/fc/Ioyw6h4dZrivVCHacmH7slSOQiWoYLmDiE5JIGDw7AHpcvidVlB4EY/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/