From: jfvanmeter@comcast.net
Date: Thu Nov 01 2007 - 11:20:02 EST
Hello Patrick
-------------- Original message ----------------------
From: Patrick J Kobly <patrick@kobly.com>
> jfvanmeter@comcast.net wrote:
> > Hello Everyone, I would llike to get your thoughts on Full Disclosure of
> Security Vulnerabilities . About 3 weeks ago during a per-test of a software
> suite for a client of myine, I found a directory traversal in a software suite
> that my client has installed on thousands of workstation.
> What was the nature of the contract under which you performed this
> work? Was it a straight pen-test consulting gig? Have you worked with
> this client before? Do you wish to work with them again?
>
> It sounds like you were contracted to do a pen-test and feed the results
> back to the client for risk assessment / mitigation. It sounds like you
> were also asked to engage and liaise with the vendor with respect to
> discovered vulnerabilities.
>
> This situation feels similar to the following hypothetical. Say I was
> contracted to write some software for a client. After writing the
> software, I decide that I want to release it to the net at large as an
> open source package. If I didn't negotiate this with the client in the
> contract up front, I can't do it on the back end, without negotiating
> with them then - they own the software that I wrote, because it was a
> work for hire.
>
> Now, I know there are probably no (legal) intellectual property rights
> in the discovery of a vulnerability, but from an ethical perspective,
> these situations feel familiar.
> > I send screen shots and a packet capture to the vendor and they were able to
> to recreate the exploit.
> >
> Has the vendor indicated a time-frame within which they expect a fix?
No
> How prevalent is this software outside your client's organization?
The client has thousand of them, so potential there could be a large number of organizations that have hunderds
> > my cleint doesn't want to go public with it because of the thousands of
> workstations and servers that its installed on. I also don't believe the vendor
> will go public with it, what would you all do?
> >
> Have you / your client discovered / deployed reasonable mitigation
> strategies for use until the vendor repairs their faulty product?
Currently I'm working on using IPSec to control access to the ports
> At this point, I'd suggest that discretion is the better part of valor.
> Try to negotiate with your client a reasonable disclosure process.
> Suggest that you have a professional responsibility to consider the
> impact on other users of this software package. Perhaps:
>
> - Disclosure of vendor / package / presence and type of vulnerability
> (where this information does not directly point at an exploitation
> technique) on discovery
> - Disclosure of vendor / package / presence of vulnerability to [list
> specific forums] with mitigation strategies upon discovery and
> implementation of mitigation strategies
> - Full disclosure of vulnerability including exploit details / packet
> dumps / other evidence once vendor has released an update, or once you
> have evidence of exploitation in the wild
>
> The point here is that your client needs to be on board. This is _much_
> easier to do in initial negotiations, before you conduct the pen-test -
> try working it into future contracts...
>
> PK
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT