|Main Archive Page > Month Archives > full-disclosure-uk archives|
I suppose that could be a good action, but doing that would potentially put the security companies customer at risk. Granted, in the argument they were already notified of the risk. So the question is, is that the ethical choice? Is that a good business choice?
Elazar Broad wrote:
> I would opt for #1, additionally, contacting CERT and other quasi-
> government security organizations would be a plus, they might have
> better luck lighting a fire under the theoretical vendors ass...
> On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith <firstname.lastname@example.org>
>> I have a theoretical question of ethics for other security
>> professionals that participate in this list. This is not an actual
>> situation, but it is a potentially realistic situation that I'm
>> interested in exploring and finding an acceptable solution to.
>> Supposed a penetration testing company delivers a service to a
>> customer. That customer uses a technology that was created by a
>> party to host a critical component of their infrastructure. The
>> penetration testing company identifies several critical flaws in
>> technology and notifies the customer, and the vendor.
>> One year passes and the vendor had done nothing to fix the issue.
>> customer is still vulnerable and they have done nothing to change
>> level of risk and exposure. In fact, lets say that the vendor flat
>> refuses to do anything about the issue even though they have been
>> notified of the problem. Lets also assume that this issue affects
>> thousands of customers in the financial and medical industry and
>> them at dire risk.
>> What should the security company do?
>> 1-) Create a formal advisory, contact the vendor and notify them
>> of the
>> intent to release the advisory in a period of "n" days? If the
>> refuses to fix the issue does the security company still release
>> advisory in "n" days? Is that protecting the customer or putting
>> customer at risk? Or does it even change the risk level as their
>> still exists.
>> 2-) Does the security company collect a list of users of the
>> and notify those users one by one? The process might be very time
>> consuming but by doing that the security company might not
>> increase the
>> risk faced by the users of the technology, will they?
>> 3-) Does the security company release a low level advisory that
>> users of the technology to contact the vendor in order to gain
>> access to
>> the technical details about the issue?
>> 4-) Does the security company do something else? If so, what is
>> appropriate course of action?
>> 5-) Does the security company do nothing?
>> I'm very interested to hear what people thin the "responsible"
>> would be here. It appears that this is a challenge that will at
>> level create risk for the customer. Is it impossible to do this
>> creating an unacceptable level of risk?
>> Looking forward to real responses (and troll responses too...
>> - simon
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
-- Self Storage Options - Click Here. http://tagline.hushmail.com/fc/Ioyw6h4eNgR1BRhFB3CXCR61VEtfAqJ45ZV34qDMKcjsXBCGM0kWG5/ -- - simon ---------------------- http://www.snosoft.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/