-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would opt for #1, additionally, contacting CERT and other quasi- government security organizations would be a plus, they might have better luck lighting a fire under the theoretical vendors ass...
elazar On Sat, 27 Sep 2008 03:39:34 +0000 Simon Smith <[EMAIL PROTECTED]> wrote: >Greetings, > I have a theoretical question of ethics for other security >professionals that participate in this list. This is not an actual >situation, but it is a potentially realistic situation that I'm >interested in exploring and finding an acceptable solution to. > > Supposed a penetration testing company delivers a service to a >customer. That customer uses a technology that was created by a >third >party to host a critical component of their infrastructure. The >penetration testing company identifies several critical flaws in >the >technology and notifies the customer, and the vendor. > > One year passes and the vendor had done nothing to fix the issue. >The >customer is still vulnerable and they have done nothing to change >their >level of risk and exposure. In fact, lets say that the vendor flat >out >refuses to do anything about the issue even though they have been >notified of the problem. Lets also assume that this issue affects >thousands of customers in the financial and medical industry and >puts >them at dire risk. > > What should the security company do? > >1-) Create a formal advisory, contact the vendor and notify them >of the >intent to release the advisory in a period of "n" days? If the >vendor >refuses to fix the issue does the security company still release >the >advisory in "n" days? Is that protecting the customer or putting >the >customer at risk? Or does it even change the risk level as their >risk >still exists. > >2-) Does the security company collect a list of users of the >technology >and notify those users one by one? The process might be very time >consuming but by doing that the security company might not >increase the >risk faced by the users of the technology, will they? > >3-) Does the security company release a low level advisory that >notifies >users of the technology to contact the vendor in order to gain >access to >the technical details about the issue? > >4-) Does the security company do something else? If so, what is >the >appropriate course of action? > >5-) Does the security company do nothing? > >I'm very interested to hear what people thin the "responsible" >action >would be here. It appears that this is a challenge that will at >some >level create risk for the customer. Is it impossible to do this >without >creating an unacceptable level of risk? > >Looking forward to real responses (and troll responses too... >especially >n3td3v). > >-- > >- simon > >---------------------- >http://www.snosoft.com > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAkje3DUACgkQi04xwClgpZgNygP/QqmBS7EsjbZlKzVML7Cyl7oeSWlF ROUxBygcf6uoXzHK0dOYDeCSltj+OZNOZHT8e2rcHp65XOJEqbZ8kfcU8tjeyVrYSr6k kcyEzaNg0AijElSu4h2mBmig5c7LVbp8oqpASlTFccmlEDzjWFAo+uH01kDNEe6acM12 X/natz8= =70tc -----END PGP SIGNATURE----- -- Enhance your home's curb appeal with name brand shutters. Click now. http://tagline.hushmail.com/fc/Ioyw6h4dZrivVCHacmH7slSOQiWoYLmDiE5JIGDw7AHpcvidVlB4EY/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
