Re: Question about ethics when discovering a security fault in system

[Michael Holstein <michael.holstein () csuohio edu>]

> My question is what is good ethics for me to continue with this? Sense I 
> discovered it by mistake, and everyone can do the same thing and 
> everyone can reproduce it. And it is a perimeter security device 
> providing remote access from a large manufacturer. And might be a known 
> problem by others than the manufacturer, how ever the product has only 
> bean on the market for about 2 months.

You write up your advisory, like many that you see here, without 
revealing the details of the exploit.

> What I want a resolution so the device we bought to provide us with 
> remote access and security shall work securely and that the company 
> shall inform other owner of there products about the problem so they 
> wont have the same security breach.

Standard practice is to give the vendor a reasonable amount of time to 
respond. (exact value of that depends on the person .. I'd say ~30 days 
is average .. but some will wait until some number of days AFTER a patch 
is released) -- then you release a modified version of your advisory 
with the exploit details.

Sure .. others might discover it "by accident" .. but security 
researchers that do that aren't the folks that'd write worms or go 
hacking about. It's the scriptkiddies that read PoC code on FD and 
elsewhere that do. Write the advisory (claim your credit of discovery), 
leave out the gory details, and wait for the vendor (reasonably).

Sometimes you've got to nail them with PoC code to get the fire lit .. 
but usually they don't like getting embarassed that way.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/