That's a good way of doing it. I think it would be better to shorten the
period of time from 1-9 months to 1-5. When you're reporting a
vulnerability, you should try and report the fix for it too. In my opinion,
exploit code should be posted a few weeks after the vulnerability has been
reported to ensure that the company works on a fix.
-OptiKal Mouse
>From: "Joe Klein" <jsklein (at) mindspring (dot) com [email concealed]>
>Reply-To: <jsklein (at) mindspring (dot) com [email concealed]>
>To: "'Kevin E. Casey'" <kcasey (at) nanoweb (dot) com [email concealed]>,<tommy (at) providesecurity (dot) com [email concealed]>,
><frogman (at) infosecwar (dot) net [email concealed]>
>CC: <bugtraq (at) securityfocus (dot) com [email concealed]>,
><security-basics (at) securityfocus (dot) com [email concealed]>,<vuln-dev (at) securityfocus (dot) com [email concealed]>,
><webappsec (at) securityfocus (dot) com [email concealed]>
>Subject: RE: Question About Ethics and Full Disclosure
>Date: Wed, 9 Jun 2004 08:11:48 -0500
>MIME-Version: 1.0
>Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
>mc6-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 9 Jun 2004
>17:14:24 -0700
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid
>60A49143AF0; Wed, 9 Jun 2004 20:17:34 -0600 (MDT)
>Received: (qmail 25671 invoked from network); 9 Jun 2004 07:00:52 -0000
>X-Message-Info: JGTYoYF78jGL48EpGnia7jun7YIUh0SR
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Message-ID: <003f01c44e23$53e36590$6401a8c0@nsaifly>
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook, Build 10.0.2627
>In-Reply-To:
><96B5E0E83D6A07428B6CDB8775AB9FBA277007 (at) domain01.nanonaples (dot) com [email concealed]>
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Return-Path: bugtraq-return-14677-sysop5=hotmail.com (at) securityfocus (dot) com [email concealed]
>X-OriginalArrivalTime: 10 Jun 2004 00:14:24.0217 (UTC)
>FILETIME=[E290CC90:01C44E7F]
>
>Below is an outline for my disclosure process.
>
>
>Vulnerability Found:
>
>1. E-Mail & Call company about finding
> - Document vulnerability
> - Document date/time/who you talked to.
> - Provide an 'ethical disclosure' reporting deadline
> - one to nine months, depending on the vulnerability
> - Inform them you will be reporting them to www.cert.org and
>www.us-cert.gov
>
>2. Report Vulnerability to:
> A. www.cert.org :
>http://www.cert.org/reporting/vulnerability_form.txt
> B. www.us-cert.gov : cert (at) cert (dot) org [email concealed]
>
>----
>Vulnerability is addressed - day upgrade/patch is released
>
>1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
>----
>Vulnerability not addressed - one to nine months
>
>1. E-Mail & Call company
> - Documentation of vulnerability
> - Documentation of your due diligence
> - reporting communication to/from company
> - reporting to cert.org and us-cert.gov
> - Provide date of disclosure
>
>Day of Disclosure:
>
>1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
>
>Opinions?
>
>
>
>-----Original Message-----
>From: Kevin E. Casey [mailto:kcasey (at) nanoweb (dot) com [email concealed]]
>Sent: Thursday, May 20, 2004 4:31 PM
>To: tommy (at) providesecurity (dot) com [email concealed]; frogman (at) infosecwar (dot) net [email concealed]
>Cc: bugtraq (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed];
>vuln-dev (at) securityfocus (dot) com [email concealed]; webappsec (at) securityfocus (dot) com [email concealed]
>Subject: RE: Question About Ethics and Full Disclosure
>
>
>Try calling the sales department for the shopping cart vendor. Tell
>them you hard about the 2 vulnerabilities, thll them that when they are
>fixed, you might perhaps buy their product... Sales motivates
>development... Or at the least might get you to a person at the vendor
>who cares.
>
>-----Original Message-----
>From: Tom [mailto:tommy (at) providesecurity (dot) com [email concealed]]
>Sent: Thursday, May 20, 2004 3:43 PM
>To: frogman (at) infosecwar (dot) net [email concealed]
>Cc: bugtraq (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed];
>vuln-dev (at) securityfocus (dot) com [email concealed]; webappsec (at) securityfocus (dot) com [email concealed]
>Subject: Question About Ethics and Full Disclosure
>
>
>I have sat on 2 vulnerabilities for a shopping cart for over a year and
>nothing has changed. Now I have found a 3rd with new services added to
>this shopping cart.
>
>I have emailed support several times but NEVER get a response. As a
>security professional and not to be Unethical what would be a
>recommended path to follow?
>
>* Notify their customers (several 100)
>* Notify the Payment Gateways they are Authorized to use (VeriSign,
>PayPal, Authorize.NET)
>* Be a total A** and just release it to all the mailing lists and at
>DEFCON
>
>BTW...I have sent several emails to various parts of VeriSign and NOBODY
>has responded as to the proper person to notify within the organization
>about this. I chose VeriSign because this cart is at the Top of Their
>List!
>
>IF anyone knows who to contact from VeriSign, authorize.net and PayPal
>about this please email me directly.
>
>Thanks,
>
>Tom Ryan
><< JosephSKlein(jsklein (at) mindspring (dot) com [email concealed])(jsklein (at) mindspring (dot) com [email concealed]).vcf >>
_________________________________________________________________
Get fast, reliable Internet access with MSN 9 Dial-up ? now 3 months FREE!
http://join.msn.click-url.com/go/onm00200361ave/direct/01/
period of time from 1-9 months to 1-5. When you're reporting a
vulnerability, you should try and report the fix for it too. In my opinion,
exploit code should be posted a few weeks after the vulnerability has been
reported to ensure that the company works on a fix.
-OptiKal Mouse
>From: "Joe Klein" <jsklein (at) mindspring (dot) com [email concealed]>
>Reply-To: <jsklein (at) mindspring (dot) com [email concealed]>
>To: "'Kevin E. Casey'" <kcasey (at) nanoweb (dot) com [email concealed]>,<tommy (at) providesecurity (dot) com [email concealed]>,
><frogman (at) infosecwar (dot) net [email concealed]>
>CC: <bugtraq (at) securityfocus (dot) com [email concealed]>,
><security-basics (at) securityfocus (dot) com [email concealed]>,<vuln-dev (at) securityfocus (dot) com [email concealed]>,
><webappsec (at) securityfocus (dot) com [email concealed]>
>Subject: RE: Question About Ethics and Full Disclosure
>Date: Wed, 9 Jun 2004 08:11:48 -0500
>MIME-Version: 1.0
>Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
>mc6-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 9 Jun 2004
>17:14:24 -0700
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid
>60A49143AF0; Wed, 9 Jun 2004 20:17:34 -0600 (MDT)
>Received: (qmail 25671 invoked from network); 9 Jun 2004 07:00:52 -0000
>X-Message-Info: JGTYoYF78jGL48EpGnia7jun7YIUh0SR
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Message-ID: <003f01c44e23$53e36590$6401a8c0@nsaifly>
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook, Build 10.0.2627
>In-Reply-To:
><96B5E0E83D6A07428B6CDB8775AB9FBA277007 (at) domain01.nanonaples (dot) com [email concealed]>
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Return-Path: bugtraq-return-14677-sysop5=hotmail.com (at) securityfocus (dot) com [email concealed]
>X-OriginalArrivalTime: 10 Jun 2004 00:14:24.0217 (UTC)
>FILETIME=[E290CC90:01C44E7F]
>
>Below is an outline for my disclosure process.
>
>
>Vulnerability Found:
>
>1. E-Mail & Call company about finding
> - Document vulnerability
> - Document date/time/who you talked to.
> - Provide an 'ethical disclosure' reporting deadline
> - one to nine months, depending on the vulnerability
> - Inform them you will be reporting them to www.cert.org and
>www.us-cert.gov
>
>2. Report Vulnerability to:
> A. www.cert.org :
>http://www.cert.org/reporting/vulnerability_form.txt
> B. www.us-cert.gov : cert (at) cert (dot) org [email concealed]
>
>----
>Vulnerability is addressed - day upgrade/patch is released
>
>1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
>----
>Vulnerability not addressed - one to nine months
>
>1. E-Mail & Call company
> - Documentation of vulnerability
> - Documentation of your due diligence
> - reporting communication to/from company
> - reporting to cert.org and us-cert.gov
> - Provide date of disclosure
>
>Day of Disclosure:
>
>1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
>
>Opinions?
>
>
>
>-----Original Message-----
>From: Kevin E. Casey [mailto:kcasey (at) nanoweb (dot) com [email concealed]]
>Sent: Thursday, May 20, 2004 4:31 PM
>To: tommy (at) providesecurity (dot) com [email concealed]; frogman (at) infosecwar (dot) net [email concealed]
>Cc: bugtraq (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed];
>vuln-dev (at) securityfocus (dot) com [email concealed]; webappsec (at) securityfocus (dot) com [email concealed]
>Subject: RE: Question About Ethics and Full Disclosure
>
>
>Try calling the sales department for the shopping cart vendor. Tell
>them you hard about the 2 vulnerabilities, thll them that when they are
>fixed, you might perhaps buy their product... Sales motivates
>development... Or at the least might get you to a person at the vendor
>who cares.
>
>-----Original Message-----
>From: Tom [mailto:tommy (at) providesecurity (dot) com [email concealed]]
>Sent: Thursday, May 20, 2004 3:43 PM
>To: frogman (at) infosecwar (dot) net [email concealed]
>Cc: bugtraq (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed];
>vuln-dev (at) securityfocus (dot) com [email concealed]; webappsec (at) securityfocus (dot) com [email concealed]
>Subject: Question About Ethics and Full Disclosure
>
>
>I have sat on 2 vulnerabilities for a shopping cart for over a year and
>nothing has changed. Now I have found a 3rd with new services added to
>this shopping cart.
>
>I have emailed support several times but NEVER get a response. As a
>security professional and not to be Unethical what would be a
>recommended path to follow?
>
>* Notify their customers (several 100)
>* Notify the Payment Gateways they are Authorized to use (VeriSign,
>PayPal, Authorize.NET)
>* Be a total A** and just release it to all the mailing lists and at
>DEFCON
>
>BTW...I have sent several emails to various parts of VeriSign and NOBODY
>has responded as to the proper person to notify within the organization
>about this. I chose VeriSign because this cart is at the Top of Their
>List!
>
>IF anyone knows who to contact from VeriSign, authorize.net and PayPal
>about this please email me directly.
>
>Thanks,
>
>Tom Ryan
><< JosephSKlein(jsklein (at) mindspring (dot) com [email concealed])(jsklein (at) mindspring (dot) com [email concealed]).vcf >>
_________________________________________________________________
Get fast, reliable Internet access with MSN 9 Dial-up ? now 3 months FREE!
http://join.msn.click-url.com/go/onm00200361ave/direct/01/
[ reply ]