Bugtraq mailing list archives
Re: Submission
From: Gunther Birznieks <gunther () EXTROPIA COM>
Date: Wed, 29 Nov 2000 08:05:35 +0800
At 02:02 PM 11/27/00 -0500, Geo. wrote:
> I am a supporter of full disclosure, or should I say RESPONSIBLE > full disclosure. I'm really glad you support responsible full disclosure (I do too) but allow me to ask a question. Would you prefer the non-responsible disclosures occur on some hacker email list somewhere else instead of here? In other words, are you willing to not get information just because it's not posted according to the rules you happen to prefer?
I could be very wrong but the likelihood of this happening seems low to me. A lot of the posts here seem to be from hackers themselves who don't even respond to an email inquiry if you get to them because they are going through aliases or whatnot. In addition, I would venture to guess that a lot more hackers read this list than you think. The more widespread the vulnerability knowledge is among the hacker/cracker community before the vendor is given a chance to fix it is just plain bad. It's bad because as pointed out many times before, the real users of the software rarely will ever subscribe to even this list. Therefore, you are informing only security professionals (whom users themselves rarely hire until they get broken into) and the hackers/crackers. Vendors usually have a customer list that they can email vulnerabilities and fixes to. Ethically, it's better to let the customers know first directly about the products they are using AND then post to bugtraq (or preferably coordinated/simultaneously). That involves cooperation with the vendor. The rest of this mail responds to others that I've read today: Personally, I like Rain Forest Puppy's dealing with a vendor whitepaper. Speaking as a vendor, I try to respond to bugs within 24 hours, but I also know that because I am in Singapore and travel around the world (and we are a tiny company) that it's possible that I won't be able to get to email in a 48 hour period of time. And may not easily be able to remotely confirm a reported security risk until I am in a better position back at the office itself. Of course, we have other people here, so if the security vulnerability were posted to several email aliases on our site, someone would still always be in contact with the hacker even if I wasn't personally around. While this would be a rare occurrence, I think it's unfair to paint a picture that all vendors are large multi-nationals with a security team devoted to this stuff or should have a security team devoted to audits and the like. Having worked previously in a sector where security audits were commonplace, I have to say that I am not impressed with some auditors capabilities anyway. And I would not be surprised if large companies do put in the $$$ to hire an auditor but you don't see that the auditor didn't catch all the bugs. Different vendors have different logistical problems. For example, a large multi-national company may just be slow. That does not mean paralyzed... But it may be difficult to even find the developer who wrote the software. In large companies, it's the norm for developers to stay someplace for a few years and then move on. At that point it may be difficult to come in and find someone who can magically learn the code so that they can fix a security bug. Would you want an inexperienced developer fixing a security bug? Probably they would introduce yet another security bug -- or they would fix it poorly so that only one case of the bugs was plugged. That does not mean the bug should not be fixed or people notified, but that someone reporting the bug should be patient and work with the vendor to find a timeline of when the bug will be fixed. That should be mandatory and reasonable within 2 days of finding the bug, but because of logistical issues, I think RFP's 5-day limit seems should be OK. The #1 thing to remember is to keep communication flowing. As I said, we are a small vendor... I'd love to fix a bug in 1 day and every security response we've had in the last 7 years, I've been able to find a solution in a day and post within 48 hours. Frankly in the past year, of the stuff posted on bugtraq about our software, one poster gave a misleading solution to the problem and another posted completely wrong information about the state of a bug that was fixed 2 years ago. NEITHER poster even attempted to email anyone at extropia.com or even wait 24 hours to hear a response back. If anything, the state of the posts on here make it hard for a security professional to assess security vulnerabilities properly if the hackers refuse to cooperate with vendors or even notify them first. While we may be quibbling of time limits of vendor response time, the fact is that many hackers are simply not even dropping a SINGLE email AT ALL. At least this is how I feel from my perspective. Yours may be different. :)
Current thread:
- Submission hellnbak (Nov 28)
- Re: Submission Ryan Russell (Nov 29)
- Re: Submission Georgi Guninski (Nov 29)
- Re: Submission Geo. (Nov 29)
- Re: Submission Gunther Birznieks (Nov 30)
- <Possible follow-ups>
- Re: Submission hellnbak (Nov 29)
- Re: Submission Georgi Guninski (Nov 30)
- Re: Submission Robert G. Ferrell (Nov 29)
- Re: Submission Scott Blake (Nov 30)
- Re: Submission aarhus (Nov 29)
- Re: Submission Rune Kristian Viken (Nov 30)
- Re: Submission Geoffrey Moon (Nov 30)
- Re: submission rain forest puppy (Nov 30)
- Re: Submission Elias Levy (Nov 30)