Re: -- Vulnerability Disclosure

[David Shettler <dshettle () HOLYCROSS EDU>]

Sorry, I'm new to the internets -- subject lines help huh?

> > > David Shettler <dshettle () HOLYCROSS EDU> 02/27/08 7:58 PM >>>
Hey all,

I'm a tad biased in this given my affiliations, but... what is the consensus on disclosing vulnerabilities you discover 
in COTS on your network.

My method has been as follows:

  1) notifiy the vendor, request them to issue me a timeframe of when THEY would like the vulnerability disclosed 
publicly
  2) if they respond with a timeframe, abide by their request
  3) if at all possible, have it be a coordinated disclosure or better yet, a pure vendor disclosure.

if the vendor doesn't respond with a timeframe, I re-request one.  If it becomes clear to me they won't, I pick the 
timeframe.

if the vendor requests I not disclose (which just happened now for the first time, prompting this email), I get 
uncomfortable.

My theory on the matter is, if there is no public disclosure, then 1) Vendor incentive is lower, and I may or may not 
receive a patch to fix my organizations problems, 2) IDS/IPS and vulnerability scanning software 
manufacturers/communities will never know of it, and thus never be able to protect against it, and 3) There are often 
dozens of other schools, if not thousands, that I know are equally vulnerable -- and I get to deal with some degree of 
guilt over the unshared knowledge.

The counter point is, if I disclose, then everyone and their dog knows about it -- including those who would be 
malicious with said information.

How are others in .edu handling this?  Do you go beyond vendor notification?

Most vendors I've dealt with happily receive the reports, and are more than willing to issue timeframes and disclose 
themselves.  Recently I've encountered one that is quite the opposite, and they have questioned the ethics behind my 
methodology.

Dave
College of the Holy Cross
Lead Dev - OSVDB