From the SecurityFocus info on Vuln-Dev: There are many forums for reporting security bugs and distributing vulnerability code or examples. A prime example of such a forum is the BUGTRAQ mailing-list. However, nearly all of these forums exist mostly for the dissemination of fully-researched reports, and they leave little room for discussion. In addition, many bugs are spotted not written-up, due to lack of interest, time, or expertise. The VULN-DEV list exists to allow people to report potential or undeveloped holes. The idea is to help people who lack expertise, time, or information about how to research a hole do so. The VULN-DEV list is dedicated to the concept of full disclosure. We believe that release of exploit code serves the security community overall. Since the list is dedicated to interactively researching vulnerabilities, there will there will generally NOT be an opportunity to warn software vendors or authors. In many cases it will not be clear that there is a problem until the exploit or description is finalized, at which point all list subscribers will know. It is very appropriate to notify vendors or authors as soon as it is clear there is a problem. You've notified the company and done your part. You may want to inform them that you don't have the resources to explore further so you will post it to vuln-dev by such and such a time to be explored further. I wouldn't post it as an advisory cause that may attract more attention. I'd just say hey look what I found, what can you do with it? Dan > I would like to gather some opinions on a not so theoretical disclosure > scenario. Please for the sake of focused discussion keep your replies > related to the specific scenario that I am proposing and not alternate > opinions on disclosure in general. <snip> > At this point I contacted the vendor to alert them to the existence of > this problem. <snip> > I informed this vendor, who is by no means short on resources, that I > might not be able to successfully make that determination due to > constraints on my time (after all I do this for fun) and ability, as > this problem exists on an architecture that I have very little > experience with. > > I encouraged the vendor to begin their own investigation. They ignored > this, and again stated that they would await my results. > > This is the problem as it sits. If I reach out to "the community" for > additional assistance with researching this bug I might as well just send > out an advisory. If I release an advisory the vendor will most likely > not have a patch ready, they will feel violated and the user base will > be left open to exploitation with no fix. If I do nothing, the problem > persists and nothing gets accomplished, and maybe someone with not so > good intentions discovers the same bug and uses it to do harm. > > So, what would you do?
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 12:19:58 PST