Hello, I hope you've all had a pleasant weekend. Over the past few months, the number of posts to Bugtraq discussing cross-site scripting and other vulnerabilities in websites/online services has increased. To be consistent with a precedent set before my time, I have approved them when I felt there was some risk to users. It didn't feel right, however. While there should be a forum for discussing these vulnerabilities, I do not believe that Bugtraq is it. Recent feedback from subscribers suggests that many of you agree. This has been brought up before [1]. I would like to, with your help, make a final decision (and adjust the charter accordingly). Therefore, I am proposing the possibility of a new list for discussion of vulnerabilities in online services and websites. This list could cover: - Cross-site scripting vulnerabilities in websites - "Other" vulnerabilities in websites/online services: application bugs, design errors, etc. - Privacy issues related to online services and websites. What would not be covered on the list are: - New classes of attacks that are not specific to any single website or service. This information would belong on a list such as Bugtraq. - Vulnerabilities in web applications that may be downloaded or purchased. Again, more appropriate for a list like Bugtraq. There are a few things that I am unsure about: 1. Disclosure Responsible disclosure will be encouraged. Once a vulnerability in a service or website has been fixed, it does not exist anymore. If an issue has been corrected by a vendor prior to the details being published, is there then a point in publishing? With software or hardware, it can be argued that details should be made public to an uninformed (and vulnerable) public. Some of the arguments that information should be published after the issue has been fixed are: a) To inform the users that they may have been affected sometime before it was fixed -- "everyone, check your credit card bills". b) Establish track-records for websites and services. 2. Publishing of vulnerabilities that may result in the website or service provider being damaged or compromised. This is a tough one. It is not necessary to point out the obvious ethical issue here, however there is a valid counterpoint. The goal of this list would be to provide a forum for disclosure of vulnerabilities that may ultimately affect the users of online services. The problem is that there is overlap between vulnerabilities that directly affect the hosts/network of the service or website and those that affect users. For example, a website may somehow allow unauthorized access to the underlying database. In this case, both the server and sensitive user data stored on it are at risk. So should this information be made public? What if the site administrator is not responsive to contact attempts and it isn't fixed? If the public is not made aware, they are at risk while the problem persists. If the individual publishes on the list, malicious parties may use the information to directly break into the website/service network. Also, publishing the vulnerability may put pressure on an unresponsive vendor to fix it. One possibility is to limit the information in these types of posts. Of course, this does not solve the problem. First of all, knowledge that a vulnerability exists is enough for attackers to seek them out. It is naive to assume that malicious individuals won't take the time to find the specifics on their own. There's also the problem of verifying reports: does the moderator review the details and confirm the existence of the vulnerability, then allow a post lacking precise details? If this does not occur, anyone may post vague reports alleging all sorts of vulnerabilities. Facilitating this is irresponsible and potentially damaging to the websites/services. (As it stands, I do not approve such posts on Bugtraq. I have bounced the few reports about vulnerabilities in specific websites sent to the list.) -- I am looking for your comments on this matter. Here's the basic question: Do you feel that disclosure of service/website vulnerabilities is appropriate on Bugtraq? Would you rather they be announced on a separate list? If you like the idea of a separate list, what are your thoughts on some of the associated issues? One last thing to keep in mind is that Bugtraq has evolved into a general 'watchdog' forum. For this reason, maybe these issues do belong on the list. I would love to hear what you think. To keep noise down, I won't approve any feedback on the list. Please reply to me directly. [1] http://online.securityfocus.com/archive/1/50865 Thank you for your time. Regards, Dave Ahmad SecurityFocus www.securityfocus.com
This archive was generated by hypermail 2b30 : Sun May 05 2002 - 19:48:26 PDT