Educause Security Discussion mailing list archives
Re: -- Vulnerability Disclosure
From: David Shettler <dshettle () HOLYCROSS EDU>
Date: Wed, 27 Feb 2008 20:11:21 -0500
Sorry, I'm new to the internets -- subject lines help huh?
David Shettler <dshettle () HOLYCROSS EDU> 02/27/08 7:58 PM >>>
Hey all, I'm a tad biased in this given my affiliations, but... what is the consensus on disclosing vulnerabilities you discover in COTS on your network. My method has been as follows: 1) notifiy the vendor, request them to issue me a timeframe of when THEY would like the vulnerability disclosed publicly 2) if they respond with a timeframe, abide by their request 3) if at all possible, have it be a coordinated disclosure or better yet, a pure vendor disclosure. if the vendor doesn't respond with a timeframe, I re-request one. If it becomes clear to me they won't, I pick the timeframe. if the vendor requests I not disclose (which just happened now for the first time, prompting this email), I get uncomfortable. My theory on the matter is, if there is no public disclosure, then 1) Vendor incentive is lower, and I may or may not receive a patch to fix my organizations problems, 2) IDS/IPS and vulnerability scanning software manufacturers/communities will never know of it, and thus never be able to protect against it, and 3) There are often dozens of other schools, if not thousands, that I know are equally vulnerable -- and I get to deal with some degree of guilt over the unshared knowledge. The counter point is, if I disclose, then everyone and their dog knows about it -- including those who would be malicious with said information. How are others in .edu handling this? Do you go beyond vendor notification? Most vendors I've dealt with happily receive the reports, and are more than willing to issue timeframes and disclose themselves. Recently I've encountered one that is quite the opposite, and they have questioned the ethics behind my methodology. Dave College of the Holy Cross Lead Dev - OSVDB
Current thread:
- Re: -- Vulnerability Disclosure David Shettler (Feb 27)