Advisory advice

Quote:

---

What if the advisory isn't detailed enough? Releasing a detailed enough advisory will still lead to the creation of exploit code. So if someone creates said code, then goes and exploits something that results in the death of someone (say similar scenario as above) are not the vulnerability finder and the company still at fault for giving so many details? At what point do you draw the line?

---

There are other correct ways to go through the disclosure process, I agree with most of them depending on the scenario.

Here's a tricky scenario: A vulnerability in a custom web application, such as websites at Bank One, retailers, forums...

A public PoC code won't help anyone, I think we can all agree on that. But what do you do if the vendor doesn't respond (with and without their attention)? If you release the same advisory to the public that you sent to the vendor, it's only valuable to people who want to attack the site.

Quote:

---

I think we can all agree on that. But what do you do if the vendor doesn't respond (with and without their attention)? If you release the same advisory to the public that you sent to the vendor, it's only valuable to people who want to attack the site.

---

Or valuable to a stockholder who wants to fire the crapheads running the business, or someone sensible who wants to cease doing business with lamers?

IT security has wider implications than the pure IT environment ;)

Good point.

Would others agree that advisories should be made public in this situation? I'm kinda changing my perspective on this, considering I'm in 2 of these situations now...

User's of a site would have to mitigate risk as well...