Results 1 to 9 of 9

Thread: Vulnerability submissions

  1. #1

    Vulnerability submissions

    I think I may have found my first "vulnerability"

    I have already submitted it to its vendor, but I think it should be released to the public. I was wondering what reputable vulnerability databases there are, and what other people submit to?

    I would like to maintain credit for finding it, as well. I don't want to "hand it over" somewhere only to have my name stripped from it.
    Suggestions? Thanks!

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    There's a certain amount of ethics involved with disclosure of vulnerabilities. It's good that you have informed the vendor but how long have you given them to respond and address the issue?

    It sounds from the tone of your post that the primary motivation for the disclosure is the name recognition. I might suggest that this is not an appropriate motivation for publicly disclosing a vulnerability that may cost others dearly until the vendor has clearly ignored or dismissed the issue for a significant period.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    It sounds from the tone of your post that the primary motivation for the disclosure is the name recognition.
    In a sense, yes. I am looking to possibly pursue this as a career in the distant future, and I would like some kind of "resume material" in the meantime. By no means will I publicly release the code, but the fix for it (which is easy) will accompany the advisory. The vendor has had almost no time (probably hasn't even opened the email) to do anything about it, and in the meantime I am investigating any other steps that should be taken, given the situation should arise that the vendor keeps it silent.

    What ethics are involved in this type of situation? Are you supposed to wait before submitting to vulnerabiltiy databases, or do you have to receive some kind of response from the vendor first?

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    What ethics are involved in this type of situation? Are you supposed to wait before submitting to vulnerabiltiy databases, or do you have to receive some kind of response from the vendor first?
    Whoa.... Big question....

    Disclaimer: What follows are my opinions. There is huge debate about this on the full-disclosure list on bugtraq, IIRC.

    I guess it all starts with the seriousness of the vulnerability. Is this a critical, remote vulnerability that allows an attacker to execute his code of choice in the context of system/root or admin or is it a situation where the attacker needs to be at the console and might be able to elevate his privilege to that of a power user on the local machine? The severity of the vulnerability really dictates that path that should be taken. The level of severity should dictate the vendor response. You also need to see it from the vendor point of view, they get swamped with "vulnerabilities" and it takes time to verify whether they are real, imagined or simply made up. This being the case, releasing the exploit 35 minutes after emailing them isn't really "cricket".

    The complexity may also play a part here too. If the exploit is trivial then the response should be quicker, if it takes a deep knowledge of several different systems/languages/protocols then it may take longer for the vendor to test and verify. Don't forget also that while the exploit might work on your home network it is possible that the way you have it configured allows the exploit and that configuration may be "abnormal" and the exploit won't work under other configurations.

    I'm saying all that to allow you to understand that the vendor may take several weeks to give any response other than "We received your exploit". Depending on the severity you should contact them regularly, (the greater the severity the more the contact), and you should keep a record of the entire transaction so that if you are forced to disclose due to vendor inaction then you can show the lengths you went to to get them to acknowledge the issue, (it will look better on your resume if you appear to have been responsible).

    Then there's the question of vendor response and co-operation. If they genuinely are interested and maintain proactive conversation with you then give them some slack. If they pooh-pooh you or are reticent to acknowledge the issue then give them fair warning that disclosure will take place on a given, (reasonable), date. If their attitude changes then give them some slack - if it doesn't then be reasonable about the time frame and release it to BugTraq along with the log of vendor contact.

    It's imperative that we give the vendors a reasonable chance to address problems. If we don't then we put innocent bystanders at risk. That's where the ethics of disclosure lies, the innocent bystanders who don't watch the full disclosure lists and probably only update their software when the vendor tells them they need to or when the version they have becomes unsupported.... or worse..... never.

    Your disclosure to BugTraq will forever hold your name and the vendor contact list showing you to be both talented and responsible..... That holds more water with an employer than a long list of discovered vulnerabilities that are freely disclosed in an irresponsible manner to the detriment of many and possibly including that prospective employer.....

    Good Luck
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    I guess it all starts with the seriousness of the vulnerability. Is this a critical, remote vulnerability that allows an attacker to execute his code of choice in the context of system/root or admin or is it a situation where the attacker needs to be at the console and might be able to elevate his privilege to that of a power user on the local machine?
    Excellent point Tiger. Soda, something you should also take into consideration is that ethically you might not want to disclose the vulnerability publicly until the patch is ready/supplied by the vendor or you have given them a way to patch it therefore once the vulnerability does go public, people can't take advantage of it and the vendor can offer it's customer's/etc a patch.
    Space For Rent.. =]

  6. #6
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    If the vendor does respond to it, and even comes out with a patch, can you not still submit it to bugtrack as a found exploit with venor response and patch?
    I really don't know and have wondered about this.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Mox:

    Yes, there are lots of BugTraq disclosures that state that the vendor has fixed the issue in version xx.xx.xx or that the patch is available at www.wherever.com.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Thanks Tiger,
    So Soda will get his recognition even if the vendor use the information as it should. All that would be involved is a waiting period to document the path to a solution.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  9. #9
    I would like to maintain credit for finding it, as well. I don't want to "hand it over" somewhere only to have my name stripped from it.

    it would be better if you could send it to the vendor only and wait for their responce , M$
    usually responds really fast and they will tell you if they are intrested or not,
    then they will ask you to wait for some time so they can do some research ,most people
    including me do not like waiting for one or two weeks and they would post it to bugtraq or
    fulldis , if you can not wait for two or three weeks send it to vuldb@securityfocus.com they would open a new bid if it is really a vulnerability and then they would ask you if they can add the exploit to their database or not this is real good because you can protect the users by asking sf not to release the exploit . I have workd with securityfocus.com on three or four vuls and i would recommend them in case you want to release it to the public.
    here is a list of some comp/orgs you can send your vuln to:

    comp/org....................................... contanct info

    http://www.cert.org.....................cert@cert.org
    http://www.us-cert.gov..................cert@cert.org
    http://www.securityfocus.com...........urityfocus.com
    http://www.securitytracker.com.........itytracker.com
    http://www.secunia.com.................ln@secunia.com


    ..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •