Re: Full Disclosure of Security Vulnerabilities

From: Patrick J Kobly (patrick@kobly.com)
Date: Thu Nov 01 2007 - 10:44:51 EST


jfvanmeter@comcast.net wrote:
> Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite that my client has installed on thousands of workstation.
What was the nature of the contract under which you performed this
work? Was it a straight pen-test consulting gig? Have you worked with
this client before? Do you wish to work with them again?

It sounds like you were contracted to do a pen-test and feed the results
back to the client for risk assessment / mitigation. It sounds like you
were also asked to engage and liaise with the vendor with respect to
discovered vulnerabilities.

This situation feels similar to the following hypothetical. Say I was
contracted to write some software for a client. After writing the
software, I decide that I want to release it to the net at large as an
open source package. If I didn't negotiate this with the client in the
contract up front, I can't do it on the back end, without negotiating
with them then - they own the software that I wrote, because it was a
work for hire.

Now, I know there are probably no (legal) intellectual property rights
in the discovery of a vulnerability, but from an ethical perspective,
these situations feel familiar.
> I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit.
>
Has the vendor indicated a time-frame within which they expect a fix?
How prevalent is this software outside your client's organization?
> my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed on. I also don't believe the vendor will go public with it, what would you all do?
>
Have you / your client discovered / deployed reasonable mitigation
strategies for use until the vendor repairs their faulty product?

At this point, I'd suggest that discretion is the better part of valor.
Try to negotiate with your client a reasonable disclosure process.
Suggest that you have a professional responsibility to consider the
impact on other users of this software package. Perhaps:

- Disclosure of vendor / package / presence and type of vulnerability
(where this information does not directly point at an exploitation
technique) on discovery
- Disclosure of vendor / package / presence of vulnerability to [list
specific forums] with mitigation strategies upon discovery and
implementation of mitigation strategies
- Full disclosure of vulnerability including exploit details / packet
dumps / other evidence once vendor has released an update, or once you
have evidence of exploitation in the wild

The point here is that your client needs to be on board. This is _much_
easier to do in initial negotiations, before you conduct the pen-test -
try working it into future contracts...

PK

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT