.

Disclosure Philosophies

<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Mar 16, 2010 3:46 pm

Disclosure Philosophies

I am currently working on a small article which is all about disclosure philosophies, therefore I wanted to ask, what members from EH-Net think about full/ responsible disclosure and why you prefer one over the other. What are the risks associated with the different disclosure philosophies, if there are any, and which problems can you see with one or the other? Would you agree to the statement that responsible disclosure is only appropriate when doing a hired pentest for a client and not from an individual's perspective?

Those are just a few questions, feel free to add your thoughts on this and bring up other aspects which should be considered before publishing one's findings.

I came to this idea when I read some time ago a thread about a person who found some vulnerabilities on a website (I thought it was at EH-Net, but I can't find it anymore) and asked how to inform the owner of it, considering the fact, that he had no permission to audit it.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Mar 17, 2010 5:29 am

Re: Disclosure Philosophies

What are the risks associated with the different disclosure philosophies, if there are any,
there are, the most known ones are informing the company and wait, informing the company and disclosing it or simply disclosing it. depending on the "color of hat" youre wearing can make this decision easy.

and which problems can you see with one or the other?
being the white hat that i am, i would always inform the company/person who owns the software first, and give him a time window (depending on the complexity of the vulnerability) to fix it. after that i would disclose it to the "scene". The only problem that occurs is that most companies dont appreciate the effort you took to hunt down the vulnerability. this can lead (depending on the country) to lawsuits and everything that comes with it.

Would you agree to the statement that responsible disclosure is only appropriate when doing a hired pentest for a client and not from an individual's perspective?
in an ideal world this would be the way to discover vulnerabilities. the problem that is addressed here lies with the average quality of software that is being produced. once this is taken care of (and again in an ideal world security would be implemented througout the whole development process) the only reason to do a pentest would be to check if all security measures are taken and all the settings are correct.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Wed Mar 17, 2010 9:10 am

Re: Disclosure Philosophies

I haven't given this much thought yet. But for the ethical hacker I think you would give the company enough time to fix the vulnerability, then disclose it. It's a bit of common sense in my opinion as you don't want to hurt the company.

If you're actually hired by some company for vulnerability research, then wouldn't everything be in the contract?
ZF
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Mar 17, 2010 9:45 am

Re: Disclosure Philosophies

It's a tough subject, I think.  In most cases, I would favor full disclosure to the software developer, and limited disclosure by the software developer.  This would allow the software developer to release a brief statement regarding the vulnerability, hopefully with just enough information for its customers to adjust their IDS to detect the new attacks.  As a software vendor, I would not release the full details of a vulnerability. 

However, sometimes, software vendors downplay or ignore the vulnerability.  Full disclosure to the public can force the software vendor to fast track a patch. 
~~~~~~~~~~~~~~
Ketchup
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Mar 19, 2010 8:18 am

Re: Disclosure Philosophies

I am almost finished with the article, so I wasn't exactly looking for answers to my questions. I thought it might be useful as some kind of input. ;)

zeroflaw wrote:It's a bit of common sense in my opinion as you don't want to hurt the company.


Here it also depends on the viewpoint, in my opinion. Disclosure must not mean that you try to hurt a company. E.g. if you have found a vulnerability, report it to the vendor and then wait, how can you know, that not someone else have found the same vulnerability and is using it? During the whole reporting- and waiting process, it's not clear how many people are already aware of it and exploit it to their benefit. Full-Disclosure might here force the vendor very hard, as already stated by Ketchup, to take action and come up with a fix.

If you were hired by a vendor to do a vulnerability assessment or pentest, this question does not come up, as it's clear that you findings belong to the vendor only. I think it must be differentiated between the viewpoints here.

Unfortunately some ignore  [them] totally, which can be very frustrating. I have seen quite a few vendors who not only ignored the reported vulnerabilities, but even tried to threaten the researcher with legal measures. I think that's a sad thing, as usually one tries to be of help when reporting to the vendor directly. Even if one gets a response, it doesn't mean that it will be really dealt with it then. It might not be the duty of the researcher to keep up the contact with the vendor, but often it seems like it. Another question which might come up once a vulnerability was reported, is how long one should actually wait until the information is given to the public.
Last edited by UNIX on Fri Mar 19, 2010 10:07 am, edited 1 time in total.
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Fri Mar 19, 2010 8:30 pm

Re: Disclosure Philosophies

It depends :-)

I have a multiple-personality disorder on this topic.
On one hand passing the information to the vendor to manage responsibly always appears to be the best, ethical approach.

Then this is where the voices kick in:
What if the vendor has a bad track record or will take months to fix it?
What if this is really impacting the security of a core system?
What if you see this vulnerability being used a a live exploit?

If I know a vulnerability exists I can plan for it and provide mitigation or have someone smarter tell me have to make my system safe.

Given the scenario I hired you to test my systems and during that test you discover X vulnerability in a piece of my network, let's say you find the recent VMWare directory traversal issue, you report that. It should be my job to pressure the vendor to fix what you found and for them to provide mitigation in the meant while.

In the scenario I found a vulnerability, I'd contact the vendor, but also reach out to a couple of trusted industry groups or people to act as proxies. This would heavily depend on the vendor and their reputation. If I got burnt by the vendor, then human nature could dictate that you take a more direct method next time.

I can understand the concept of by-passing a slow or unresponsive vendor and publishing the vulnerability to the unwashed masses of the internet. Does it make for a faster resolution by the vendor given a massive public outcry? Some Microsoft out of band patches releases may lead you to believe that is the case.

I'd hope that people would act in the communities best interest and not be motivated out of ego. This does conflict with telling the vendor first, but what measure of respect do you give a company willing to put out bad code and refuse to fix it over hundreds of thousands of people suffering lost or exploitation of their systems?

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software