Interesting position to find yourself in, and in some ways I feel for the vendors position as well.

Its not unusual for security professionals to enter into NDA when dealing with a client, and in some cases the vendor can't be 'totally' responsible if users don't update their own systems (but imo it should provide default, auto update facility for a device which is essentially set and forget for most).

Ultimately, I'd say the decision is yours alone, with no real right or wrong answer. Training is expensive, and security practitioners deserve to be paid for their skills and effort. On the other hand it is likely (no offense intended) that other parties are either already aware of the weakness or will be in the future, however I'd also suggest that users that don't apply vendor supplied updates, probably arent reading through the infosec community looking for vulnerabilities in their network either.

If I was in your shoes? You've found a flaw, the vendor has resolved the issue. Hard work is done, time to get paid.

(and if this wasn't the ethical hacker network, I'd int out that coincidences happen, and it's not impossible for an unrelated third party to reverse a patch, identify the flaw fixed and release......)

They are working under the (probably misguided) assumption that you are the only person that knows about the vulnerability. The problem with their approach is that while a fix might be available, they are withholding important information from their clients about why they should patch!

Without more info, I'll come to the vendors defence on this one. Just because a PoC and detailed analysis isn't released doesn't mean end users (who probably wouldn't understand a PoC anyway) can't be provided with information sufficient to tell them why a patch is required.

Microsoft (et al.) security bulletins will detail the scope of the effective issue, but rarely provide enough technical information to allow a third party to replicate the issue with further debugging, analysis and reversing.

Do you wait or research every update to your own systems before applying? Or accept that the vendor is (supposedly) fixing an identified issue?

For years, security researchers have essentially worked for free by researching security issues and reporting them to vendors.  Many vendors now pay for vulnerabilities.  If they pay, they can dictate the terms of disclosure.

Third parties are also purchasing vulnerabilities and demanding an NDA.  Some just wish to report the vulnerability through their service, possibly after their product (IDS/IPS) can detect it.  Others (e.g. government agencies) purchase exploits against major products so they can use them offensively.

If the vendor will pay you for your time, take the money.  How they decide to report is up to them.

Thanks for your answers guys.


And this is exactly the problem! Most of my found vulnerabilities might be easy to reproduce for an attacker, even if they only state the type of the vulnerability in their patch notes. So patching it silently might be the right way here. But the problem will still persist on the devices of the people who simply cannot update due to a missing technical understanding. If the devices would auto-update, this wouldn't probably be a problem, but this is not implemented for some reasons.

So the vendor doesn't like to see the vulnerability to be disclosed because of loosing reputation and of course to protect their customers in the obvious "security through obscurity" way.

@3xban:
I had a talk with the product manager again about the situation and he clearly stated that they appreciate all of my further findings too.

I finally agree with unicityd - if and how they report this issue to their customers is their descision/problem, so I decided to take their offer.

Regards.