Just my 2 cents - why reporting it to US-CERT as an exceptional "US"-case? I
really don't see why US should exclusively be informed about all disclosures of
vulnerabilities; not to mention the fact that I trust CERT to be reporting the
disclosures to them if they find that action appropriate.

Greetings,

Stefan de Bruijn.

Joe Klein wrote:

> Below is an outline for my disclosure process.
>
>
> Vulnerability Found:
>
> 1. E-Mail & Call company about finding
> - Document vulnerability
> - Document date/time/who you talked to.
> - Provide an 'ethical disclosure' reporting deadline
> - one to nine months, depending on the vulnerability
> - Inform them you will be reporting them to www.cert.org and
> www.us-cert.gov
>
> 2. Report Vulnerability to:
> A. www.cert.org :
> http://www.cert.org/reporting/vulnerability_form.txt
> B. www.us-cert.gov : cert (at) cert (dot) org [email concealed]
>
> ----
> Vulnerability is addressed - day upgrade/patch is released
>
> 1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
> ----
> Vulnerability not addressed - one to nine months
>
> 1. E-Mail & Call company
> - Documentation of vulnerability
> - Documentation of your due diligence
> - reporting communication to/from company
> - reporting to cert.org and us-cert.gov
> - Provide date of disclosure
>
> Day of Disclosure:
>
> 1. Disclose to your favorite list/lists
> - Disclose your process
> - Disclose your due diligence
> - communication to/from company
> - posting to cert.org and us-cert.gov
> - Disclose the vulnerability
>
>
> Opinions?
>
>
>
> -----Original Message-----
> From: Kevin E. Casey [mailto:kcasey (at) nanoweb (dot) com [email concealed]]
> Sent: Thursday, May 20, 2004 4:31 PM
> To: tommy (at) providesecurity (dot) com [email concealed]; frogman (at) infosecwar (dot) net [email concealed]
> Cc: bugtraq (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed];
> vuln-dev (at) securityfocus (dot) com [email concealed]; webappsec (at) securityfocus (dot) com [email concealed]
> Subject: RE: Question About Ethics and Full Disclosure
>
>
> Try calling the sales department for the shopping cart vendor. Tell
> them you hard about the 2 vulnerabilities, thll them that when they are
> fixed, you might perhaps buy their product... Sales motivates
> development... Or at the least might get you to a person at the vendor
> who cares.
>
> -----Original Message-----
> From: Tom [mailto:tommy (at) providesecurity (dot) com [email concealed]]
> Sent: Thursday, May 20, 2004 3:43 PM
> To: frogman (at) infosecwar (dot) net [email concealed]
> Cc: bugtraq (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed];
> vuln-dev (at) securityfocus (dot) com [email concealed]; webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Question About Ethics and Full Disclosure
>
>
> I have sat on 2 vulnerabilities for a shopping cart for over a year and
> nothing has changed. Now I have found a 3rd with new services added to
> this shopping cart.
>
> I have emailed support several times but NEVER get a response. As a
> security professional and not to be Unethical what would be a
> recommended path to follow?
>
> * Notify their customers (several 100)
> * Notify the Payment Gateways they are Authorized to use (VeriSign,
> PayPal, Authorize.NET)
> * Be a total A** and just release it to all the mailing lists and at
> DEFCON
>
> BTW...I have sent several emails to various parts of VeriSign and NOBODY
> has responded as to the proper person to notify within the organization
> about this. I chose VeriSign because this cart is at the Top of Their
> List!
>
> IF anyone knows who to contact from VeriSign, authorize.net and PayPal
> about this please email me directly.
>
> Thanks,
>
> Tom Ryan

--
Slapen is nuttig. Het zorgt er namelijk voor dat je niet meer hoeft te slapen -
en aangezien slapen compleet nutteloos is, is slapen dus een nuttige bezigheid.

[ reply ]