Re: Moot choices, a sort of DD media party

[Aviram Jenik <aviram () beyondsecurity com>]

On Friday 01 July 2005 18:31, Rodney Thayer wrote:
> What do you do when you find an exploit in a protocol spec?  Do you
> disclose it to the standards body?  Do you tell the vendor?  Do you simply
> announce it?  If you tell the vendor, is it ok for the vendor to choose
> to ignore you because they've faithfully implemented the standard and it's
> Not Their Problem?

A while ago we found a problem in the SMTP standard ("SMTP fragmentation") 
that allowed SMTP gateway bypassing in a way similar to TCP fragmentation:
http://www.securiteam.com/securitynews/5YP0A0K8CM.html

We decided the right thing to do was to contact all the relevant vendors we 
could find in addition to CERT, and hope for the best. We were actually 
surprised for the better - one vendor already knew about the problem and 
fixed their products long ago. Other vendors fixed their products within the 
timeframe we agreed on, and none of the vendors we talked to claimed it was 
an SMTP problem and not theirs.

The nice thing about contacting CERT is that when vendors we didn't contact 
(because they weren't on our radar or we couldn't the proper contact 
information) complained, we referred them directly to CERT.

- Aviram
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave