Bugtraq mailing list archives
Posting vulnerabilities
From: ah () SECURITYFOCUS COM (Alfred Huger)
Date: Fri, 30 Jun 2000 20:25:58 -0700
Hey Folks, Every once in a while someone posts to Bugtraq in regards to vendor notification, etiquette when dealing with buggy software vendors etc. It's been a while and since the traffic on Bugtraq and number of bugs/vulnerabilities being reported is growing (exponentially) I thought I give it a try. This mail is primarily addressed to people who are publishing vulnerabilities to the list, typically in the form of an advisory. This post also makes some important assumptions. First off, it assumes you actually care what the community thinks of you and assumes that you care about the folks your bug reports will invariably affect. Before I start it's important to note a few things. My post is NOT an endorsed or supported opinion by SeecurityFocus.com; we tend to keep our opinions to ourselves in terms of operating the site. These suggestions I make will no way affect the way Elias moderates Bugtraq. I am simply addressing this situation as someone who can speak from experience. I have released a large number of advisories at several different companies; during which I have made every concievable possible mistake at this particular exercise and hopefully can impart some useful tips. I realize everything I am about to suggest here is at times simply not realistic, opportune or even possible. These are to be taken as basic guidelines not rules of God. - Release timing 1. Do not, release your vulnerability just prior to a holiday. It causes more grief than you can possibly imagine. If you are interested in engendering deep seated ill will against your organization, company or person - disregard this rule. 2. Do not, release your vulnerability on a Friday - people rarely enjoy working the weekend. If you're trying to brand your company by releasing your advisory (and most of you are) it's important to make the best impression. This will not do so. 3. Do not, release with remarkably vague details and no fix information. This is like yelling fire in a dance hall. Not pretty. 4. Do not, release your advisory on a weekend, read rule 1 and 2. - Dealing with vendors 1. Give the vendor reasonable time to fix the bug. If the vendor has any size at all or even concern for decent QA - this is NOT a week. It's probably not even two weeks; you're looking at closer to three weeks or a month. Have patience and keep in mind people with lives other than you are also affected by this. 2. Give the vendor a clear timeline. If you lay out a concise roadmap the vendor has a good understanding of how much time they really have and can (possibly) address the situation. Let the vendor know your intentions. 3. If you are clear that a vendor in non-communicative or simply giving you the run around, post the bug and make it clear in the closing text of the advisory why you are releasing with no fix. You should provide a contact (preferably the one you were dealing with) so the people affected by the problem can follow up for a fix. 4. If a vendor threatens legal action that is a worth a post in itself. Some vendors out there tend to do this and it's a terrible way to deal with the problem. All this will do is force this type of information underground (again). Let the community know if a vendor gets litigious as this will help other people who find bugs in their software decide how to approach the vendor. In closing, if you are going to post vulns (and I hope you all continue as it pays my rent) please keep in mind that the more professional you keep it (fix's, vendor contact info, workarounds, grown up vocabulary) the more the community benefits and the better you look. I imagine Elias will not let this become a dicussion thread so please mail me directly if you wish to reply. Alfred Huger VP of Engineering SecurityFocus.com
Current thread:
- Nasty hole in postifx/procmail/cyrus John Pettitt (Jun 30)
- Posting vulnerabilities Alfred Huger (Jun 30)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 01)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- <Possible follow-ups>
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 06)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 14)