Disclosure or Blatant Advertising?     [

http://www.osvdb.org/blog/?p=60

Security advisories are a form of advertising. First and foremost, they are
used to promote the technical capability of a security company and showcase
the talent. If a researcher or company was completely altruistic, they would
not release an advisory and would not care about credit if the vendor
released an advisory. Releasing vulnerability information has been used as a
form of marketing for over a decade, and it works for everyone. The company
releasing the information gets free press, the security community gets
vulnerability information in return. In recent years, many companies have
relied on it for getting started and attracting their initial customer base.

With the full vs responsible disclosure debate a constant shroud hanging
over security companies, they must be careful not to scare away potential
customers by giving the impression that they don¹t care about security or
the repercussions of their disclosure. As such, many companies have taken a
very strong stance on responsible disclosure, some arguably taking it too
far.

One example of this strong stance is NGSSoftware who began witholding
details of vulnerabilities for 90 days, in order for administrators to have
plenty of time to patch the vulnerability. This is a good thing overall, and
NGSS has set a good example showing that security companies can help the
community while protecting them just the same. Of course, NGSS should make
sure to release those details after 90 days, something they don¹t always do
in a timely fashion. An example of NGSS¹ policy can be seen in their recent
post to Full-Disclosure as well as their immediate followup. While vague, it
does tell us that multiple vulnerabilities were found, what software they
were found in, and what types of vulnerabilities they are. These correspond
to information provided in the Oracle security bulletin and serve as a
warning to the severity/importance of the vendor patch.

A few weeks ago, Integrigy Corporation took it too far in my opinion. In a
posting to Full-Disclosure titled Vulnerabilities in Oracle E-Business Suite
11i - Critical Patch Update October 2005, they provided a four page summary
of .. no vulnerability disclosure. The bulk of the post was to point out
they had released analysis of the Oracle patches and what it could mean for
customers. While this information is helpful, it is NOT disclosing a
vulnerability in any fashion. The only thing resembling disclosure was the
Œcredit¹ section which states:

    Some of the vulnerabilities fixed in the Critical Patch Update October
2005 were discovered and reported to Oracle by Stephen Kost of Integrigy
Corporation.

This isn¹t disclosing a vulnerability, and should not be posted to a list
centered around full disclosure. The company name ³Integrigy² appears 14
times in the post, and their company URL 3 times. They mention their
products AppSentry and AppDefend a total of four times.

Argue all you want, but this is blatant advertisement, not a security
advisory. 



You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.

Reply via email to