.

Which disclosure philosophy?

<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Jul 09, 2009 2:33 am

Which disclosure philosophy?

Hello,
lately I had some discussions about disclosure philosophies. Although I am currently not really into any big exploit development scene I am still interested in this area. I would like to know if you follow any strict methodology in the disclosure process, and how you think on the moral and ethical site of this.

I have found a similar thread on this topic but which focuses more on the problems regarding certifications. Still interesting and may be read.

Personally I don't follow any strict rules as I think it depends on the case itself. Full disclosure, which is probably best known from H D Moore, is certainly important to push and force companies to supply patches and updates. Also if a vuln. was found which is not public yet, it doesn't mean that no one else is aware of it. But it also means that this information is available for everyone, although not everyone is patching it (if someone is aware of a critical hole in her system she will probably fix it, but often people with little computer knowledge are not aware of it, although it is well-known).
Another fact I like in full-disclosure is that vendors probably have to do something in order to fix the vulnerability to not lose any customers/ clients and "face", however, I have often experienced that companies don't even reply if they got informed first privately and got some time to fix the problem. Also I experienced that companies replied in a very angry manner and threatened the person who found the security issue with a sue when she publish her findings.

Although there are many advantages in full disclosure there are also disadvantages. When an exploit is released for some very critical systems it may cause huge damage before a patch can be supplied. Because of this reason I think that it is good in general (again, I think there is no methodology to apply for every case) to give first the information to the manufacturer (responsible disclosure) and publish it then after a certain period of time to the public (is there any guideline on how long to wait actually? Wikipedia writes about fourteen to thirty days but I read on some other websites about six months).

I would like to know how other EH-Netters think about this and if you stick to a certain routine..hope to have a little virtual discussion too. :)
Last edited by UNIX on Thu Jul 09, 2009 2:35 am, edited 1 time in total.
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Fri Jul 10, 2009 11:35 pm

Re: Which disclosure philosophy?

Disclosure to the vendor is noble, however, as you said vendors may reply in a very angry and threatening manner.

Personally, if identifying the vuln involved violating the EULA, I would not disclose it to the vendor. It wouldn't be worth the personal risk. One would also have to be careful of not violating other laws. Some the EFF mentioned:

  • Computer Fraud and Abuse Act
  • Anti-Circumvention Provisions of the DMCA
  • Copyright law

If it seemed extremely important to disclose to the vendor (even in violation of the above), I would go to great lengths to remain anonymous.

I'm not experienced in the exploit development scene anyway, so this is all hypothetical.
Last edited by elcapitan on Sat Jul 11, 2009 12:01 am, edited 1 time in total.
CISSP, Security+, CEH, OPP, et alii
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Jul 14, 2009 6:29 pm

Re: Which disclosure philosophy?

I prefer a hybrid approach...

I would prefer vendors be given a chance to resolve the issue, if they don't take care of it in a reasonable amount of time then public disclosure lets everyone take steps to mitigate the issue.

Some companies (becoming fewer) attack the person who found the issue. In that case I would suggest the same as ElCapitan that you release the issue but maintain anonymity.

I understand that many would disagree with me since this topic seems to be as close to a a religious debate as PCI.
twitter.com/timmedin | http://blog.securitywhole.com
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Jul 15, 2009 12:47 am

Re: Which disclosure philosophy?

I wasn't sure if I should ask this question, but as it concerned me and this is certainly a place in which it can be asked and good answers can be expected, I did. Also I tried to not ask on which would be the best or most ethical at all, but about your personal opinions on it.

Thanks for your replies, much appreciated. :)

I think some vendors misinterpret a report and see it as some kind of personal attack, unfortunately. Normally one would think that they should be happy if a bug or vuln. was found as it should result in bugfixes and updates which eventually conduct to a better (more secure) product. Maybe they are afraid of the possible results, which are not only work/ effort to fix the issues and spend money on it.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software