Posting vulnerabilities

[ah () SECURITYFOCUS COM (Alfred Huger)]

Hey Folks,

Every once in a while someone posts to Bugtraq in regards to vendor
notification, etiquette when dealing with buggy software vendors etc. It's
been a while and since the traffic on Bugtraq and number of
bugs/vulnerabilities being reported is growing (exponentially) I thought I
give it a try.

This mail is primarily addressed to people who are publishing
vulnerabilities to the list, typically in the form of an advisory. This
post also makes some important assumptions. First off, it assumes you
actually care what the community thinks of you and assumes that you care
about the folks your bug reports will invariably affect.

Before I start it's important to note a few things. My post is NOT an
endorsed or supported opinion by SeecurityFocus.com; we tend to keep our
opinions to ourselves in terms of operating the site. These suggestions I
make will no way affect the way Elias moderates Bugtraq. I am simply
addressing this situation as someone who can speak from experience. I have
released a large number of advisories at several different companies;
during which I have made every concievable possible mistake at this
particular exercise and hopefully can impart some useful tips.

I realize everything I am about to suggest here is at times simply not
realistic, opportune or even possible. These are to be taken as basic
guidelines not rules of God.

-       Release timing

1.      Do not, release your vulnerability just prior to a holiday. It causes
more grief than you can possibly imagine. If you are interested in
engendering deep seated ill will against your organization, company or
person - disregard this rule.

2.      Do not, release your vulnerability on a Friday - people rarely enjoy
working the weekend. If you're trying to brand your company by releasing
your advisory (and most of you are) it's important to make the best
impression. This will not do so.

3.      Do not, release with remarkably vague details and no fix
information. This is like yelling fire in a dance hall. Not pretty.

4.      Do not, release your advisory on a weekend, read rule 1 and 2.

-       Dealing with vendors

1.   Give the vendor reasonable time to fix the bug. If the vendor has any
size at all or even concern for decent QA - this is NOT a week. It's
probably not even two weeks; you're looking at closer to three weeks or a
month. Have patience and keep in mind people with lives other than you are
also affected by this.

2.      Give the vendor a clear timeline. If you lay out a concise roadmap the
vendor has a good understanding of how much time they really have and can
(possibly) address the situation. Let the vendor know your intentions.

3.      If you are clear that a vendor in non-communicative or simply giving
you the run around, post the bug and make it clear in the closing text of
the advisory why you are releasing with no fix. You should provide a
contact (preferably the one you were dealing with) so the people affected
by the problem can follow up for a fix.

4.      If a vendor threatens legal action that is a worth a post in
itself. Some vendors out there tend to do this and it's a terrible way to
deal with the problem. All this will do is force this type of information
underground (again). Let the community know if a vendor gets litigious as
this will help other people who find bugs in their software decide how to
approach the vendor.

In closing, if you are going to post vulns (and I hope you all continue as
it pays my rent) please keep in mind that the more professional you keep
it (fix's, vendor contact info, workarounds, grown up vocabulary) the more
the community benefits and the better you look.

I imagine Elias will not let this become a dicussion thread so please mail
me directly if you wish to reply.

Alfred Huger
VP of Engineering
SecurityFocus.com