Re: Complicated Disclosure Scenario

[KF <dotslash () snosoft com>]

Its real easy ... either A) they put you on pay roll and you fix all
their problems 
or B) They will just have to accept the fact that they made a stupid
move by 
refusing to do their own research (after you post it to the public).
Bottom line is
its THEIR JOB not yours. Once its public domain info they will be FORCED
to fix it 
and research it. I say force it upon them or ask to be paid for your
consulting time.
-KF 

Josha Bronson wrote:
> Greetings fellow security folk,
>
> I would like to gather some opinions on a not so theoretical disclosure
> scenario. Please for the sake of focused discussion keep your replies
> related to the specific scenario that I am proposing and not alternate
> opinions on disclosure in general.
>
> The situation is thus. I have discovered a bug in a major software
> vendors application. Initially the bug presented itself as a way to
> crash the application, i.e. a DoS condition. Upon further research I
> determined that I was able to overwrite some return addresses by
> formating the overflow in a specific way. As we all know this means that
> there is the possibility that this could allow code to be executed on
> the remote system.
>
> At this point I contacted the vendor to alert them to the existence of
> this problem. After exchanging multiple emails, in which I tediously
> outlined the DoS condition and *potential* exploit situation I was told
> that they would wait until I determined if code could be exploited
> before they began creating an advisory or even working on a patch.
>
> I informed this vendor, who is by no means short on resources, that I
> might not be able to successfully make that determination due to
> constraints on my time (after all I do this for fun) and ability, as
> this problem exists on an architecture that I have very little
> experience with.
>
> I encouraged the vendor to begin their own investigation. They ignored
> this, and again stated that they would await my results.
>
> This is the problem as it sits. If I reach out to "the community" for
> additional assistance with researching this bug I might as well just send
> out an advisory. If I release an advisory the vendor will most likely
> not have a patch ready, they will feel violated and the user base will
> be left open to exploitation with no fix. If I do nothing, the problem
> persists and nothing gets accomplished, and maybe someone with not so
> good intentions discovers the same bug and uses it to do harm.
>
> So, what would you do?
>
> --
> Josha Bronson
> dmuz () angrypacket com
> AngryPacket Security