Security Incidents mailing list archives
Re: Vendor notification
From: Barrie Dempster <barrie () reboot-robot net>
Date: Thu, 31 Mar 2005 13:57:49 +0100
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: <snip>
I'm talking about informing about 'bad stuff in the wild' to help the vendor know that we are all protected for this stuff.
<snip> If every such incident was reported to the vendor they would be flooded with absolute garbage all day. How many times do we see "is this a new virus?" and other such questions where the poster hasn't done any basic research or verification at all. I think it's important to ask "do you see this too?" on the appropriate forum, then when you have some verification and discussion you can pass the info on to the vendor if it seems prudent. However most vendors are reading the appropriate forums for thier products and become aware very quickly of any possible issues. When it comes to discussing and disclosing any new security problems, the most important people in the equation are the *users* not the vendors. I agree though that in many cases you would want direct vendor notification, but unless it's something they can fix directly - ie.. patchable - then let the users know first, so that they can setup IDS/IPS rules, configure firewalls or monitor for traffic patterns. Your example was an exploit existing for an already determined vulnerability, in this case I don't think the vendor needs to care about it at all, the presence or lack of an exploit should have no bearing on their time to patch release. If it's a security vulnerability then the patch should be released as soon as reasonably possible. If the patch is already released and the exploit appears, then the vendor doesn't have to know or care, the user however might want to monitor this for their own research/defense. Basically this boils down to.... Find it, discuss it with peers, if the vendor can fix it notify them. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue blog: http://zeedo.blogspot.com site: http://www.bsrf.org.uk CA: www.cacert.org "He who hingeth aboot, getteth hee-haw" - Victor (Still Game)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Vendor notification Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 30)
- Re: Vendor notification Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 30)
- Re: Vendor notification Barrie Dempster (Mar 31)
- Re: Vendor notification Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 31)
- Re: Vendor notification Barrie Dempster (Mar 31)
- Re: Vendor notification Colin (Mar 31)
- Re: Vendor notification Barrie Dempster (Mar 31)
- Re: Vendor notification Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 30)
- <Possible follow-ups>
- Re: Vendor notification Fergie (Paul Ferguson) (Mar 31)