EH-Net

Hi All,

What do you think should be the modus operandi for an ethical hacker while dealing with a new exploit. To put it more clearly and in simple terms, say for example, an ethical hacker come across a new exploit while working. Now the first step that he will be initiating is to protect his systems from the subject exploit. What are the other steps that a ethical hacker is supposed to do? Does any of the certification body talk about these issues? Is he supposed to inform anybody or can he submit a work report on the exploit to any of the certification body?

Regards,

Morpheus

releast it 0day so you can get your 15 minutes of fame!!!


just kidding, generally you are supposed to contact the vendor so they can begin working on a patch.

Hi LSOChris,

I totally agree with your suggestion. But the core part of the question is whether any of the Certification standards talk about these issues?

Request responses from CISSP's and CEH's from thier professional and academic experiences on the subject question.

Regards,

Morpheus

I believe its best practices to notify the vendor and give them 6 months to patch prior to releasing to the public. From all that I've heard, many times they don't respond at all. If they don't do anything it 6 months, post to the bugtraq list or your site of choice.

iDefense and some others also offer payment for previously unkown exploits and I believe they pay well for remote root exploits, as opposed to others like local, priv esclation or dos.

I don’t remember anything in the CEH Certification standards having a clear policy concerning that issue. The CEH is about testing security in a similar manner as an attacker, not about developing exploits or what you should do if you discover 0day vulnerabilities.  If by some chance you were the victim of a Oday and were able to recover the exploit, there is a basic code of ethics for the CEH to do no harm and to do what’s best for the community. Obviously that would mean to contact the vender.

there are several "disclosures" and different hats subscribe to different ones.  use google.

i dont recall seeing one for CISSP or CEH or CPTS, more of moral questions like should you just release it to the public without contacting the vendor or not.

I recently listened to a podcast rountable that was made up mostly of security professionals and a couple security vendors. This exact question came up and the pannel was split down the middle. Some of the security pros said they wanted to know about the problem immediately so they at least had the information and possibly could put in some type of safeguards to mitigate it. The vendors, not surprisingly, said they should know first so they can start working on a solution.

I don't believe any of the certifications deal with this issue because they all come from the practisioner or manager perspective. New exploits usually come from researchers and real crackers. Completely different animals.

Hi All,

While searching for a Responsible Vulnerability Disclosure Policy, I came across these sample policies which could be of great use to us. Sharing the info:

http://www.wiretrip.net/rfp/txt/ietf-draft.txt (http://www.wiretrip.net/rfp/txt/ietf-draft.txt)

http://www.zerodayinitiative.com/legal.html (http://www.zerodayinitiative.com/legal.html)

Also some interesting articles about emerging Issues in Responsible Vulnerability Disclosure

http://osvdb.org/blog/?p=15 (http://osvdb.org/blog/?p=15)

Regards,

The Morpheus