Re: Submission

[Gunther Birznieks <gunther () EXTROPIA COM>]

At 02:02 PM 11/27/00 -0500, Geo. wrote:
> > I am a supporter of full disclosure, or should I say RESPONSIBLE
> > full disclosure.
>
> I'm really glad you support responsible full disclosure (I do too) but allow
> me to ask a question. Would you prefer the non-responsible disclosures occur
> on some hacker email list somewhere else instead of here? In other words,
> are you willing to not get information just because it's not posted
> according to the rules you happen to prefer?
I could  be very wrong but the likelihood of this happening seems low to
me. A lot of the posts here seem to be from hackers themselves who don't
even respond to an email inquiry if you get to them because they are going
through aliases or whatnot.

In addition, I would venture to guess that a lot more hackers read this
list than you think. The more widespread the vulnerability knowledge is
among the hacker/cracker community before the vendor is given a chance to
fix it is just plain bad.

It's bad because as pointed out many times before, the real users of the
software rarely will ever subscribe to even this list. Therefore, you are
informing only security professionals (whom users themselves rarely hire
until they get broken into) and the hackers/crackers.

Vendors usually have a customer list that they can email vulnerabilities
and fixes to. Ethically, it's better to let the customers know first
directly about the products they are using AND then post to bugtraq (or
preferably coordinated/simultaneously).

That involves cooperation with the vendor.

The rest of this mail responds to others that I've read today:

Personally, I like Rain Forest Puppy's dealing with a vendor whitepaper.
Speaking as a vendor, I try to respond to  bugs within 24 hours, but I also
know that because I am in Singapore and travel around the world (and we are
a tiny company) that it's possible that I won't be able to get to email in
a 48 hour period of time. And may not easily be able to remotely confirm a
reported security risk until I am in a better position back at the office
itself.

Of course, we have other people here, so if the security vulnerability were
posted to several email aliases on our site, someone would still always be
in contact with the hacker even if I wasn't personally around.

While this would be a rare occurrence, I think it's unfair to paint a
picture that all vendors are large multi-nationals with a security team
devoted to this stuff or should have a security team devoted to audits and
the like.

Having worked previously in a sector where security audits were
commonplace, I have to say that I am not impressed with some auditors
capabilities anyway. And I would not be surprised if large companies do put
in the $$$ to hire an auditor but you don't see that the auditor didn't
catch all the bugs.

Different vendors have different logistical problems. For example, a large
multi-national company may just be slow. That does not mean paralyzed...
But it may be difficult to even find the developer who wrote the software.
In large companies, it's the norm for developers to stay someplace for a
few years and then move on. At that point it may be difficult to come in
and find someone who can magically learn the code so that they can fix a
security bug.

Would you want an inexperienced developer fixing a security bug? Probably
they would introduce yet another security bug -- or they would fix it
poorly so that only one case of the bugs was plugged.

That does not mean the bug should not be fixed or people notified, but that
someone reporting the bug should be patient and work with the vendor to
find a timeline of when the bug will be fixed. That should be mandatory and
reasonable within 2 days of finding the bug, but because of logistical
issues, I think RFP's 5-day limit seems should be OK.

The #1 thing to remember is to keep communication flowing.

As I said, we are a small vendor... I'd love to fix a bug in 1 day and
every security response we've had in the last 7 years, I've been able to
find a solution in a day and post within 48 hours.

Frankly in the past year, of the stuff posted on bugtraq about our
software, one poster gave a misleading solution to the problem and another
posted completely wrong information about the state of a bug that was fixed
2 years ago. NEITHER poster even attempted to email anyone at extropia.com
or even wait 24 hours to hear a response back.

If anything, the state of the posts on here make it hard for a security
professional to assess security vulnerabilities properly if the hackers
refuse to cooperate with vendors or even notify them first.

While we may be quibbling of time limits of vendor response time, the fact
is that many hackers are simply not even dropping a SINGLE email AT
ALL.  At least this is how I feel from my perspective.

Yours may be different. :)