Security Incidents mailing list archives
Re: Vendor notification
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Thu, 31 Mar 2005 07:07:34 -0800
Actually that's my point...they DID want to know that was in the wild. As of Friday there were no reports of 05-002 exploits. They wanted to see samples of it because at this time the 98 version of the patch is having issues. It helps guide the message 'at this time we have/have not seen expoits...blah blah"
I'm saying that if it's an brand new exploit in the wild that there should be notification.....like you said.. "have you seen this?" If no one says yes, you contact and make sure the vendor is aware.
Susan Barrie Dempster wrote:
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: <snip>I'm talking about informing about 'bad stuff in the wild' to help the vendor know that we are all protected for this stuff.<snip> If every such incident was reported to the vendor they would be flooded with absolute garbage all day. How many times do we see "is this a new virus?" and other such questions where the poster hasn't done any basic research or verification at all. I think it's important to ask "do you see this too?" on the appropriate forum, then when you have some verification and discussion you can pass the info on to the vendor if it seems prudent. However most vendors are reading the appropriate forums for thier products and become aware very quickly of any possible issues. When it comes to discussing and disclosing any new security problems, the most important people in the equation are the *users* not the vendors. I agree though that in many cases you would want direct vendor notification, but unless it's something they can fix directly - ie.. patchable - then let the users know first, so that they can setup IDS/IPS rules, configure firewalls or monitor for traffic patterns. Your example was an exploit existing for an already determined vulnerability, in this case I don't think the vendor needs to care about it at all, the presence or lack of an exploit should have no bearing on their time to patch release. If it's a security vulnerability then the patch should be released as soon as reasonably possible. If the patch is already released and the exploit appears, then the vendor doesn't have to know or care, the user however might want to monitor this for their own research/defense. Basically this boils down to.... Find it, discuss it with peers, if the vendor can fix it notify them.
--An open letter to the Security Community:: http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
Current thread:
- Vendor notification Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 30)
- Re: Vendor notification Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 30)
- Re: Vendor notification Barrie Dempster (Mar 31)
- Re: Vendor notification Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 31)
- Re: Vendor notification Barrie Dempster (Mar 31)
- Re: Vendor notification Colin (Mar 31)
- Re: Vendor notification Barrie Dempster (Mar 31)
- Re: Vendor notification Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 30)
- <Possible follow-ups>
- Re: Vendor notification Fergie (Paul Ferguson) (Mar 31)