[Full-disclosure] Question about ethics when discovering a security fault in system

From: Torbjörn Samuelsson (torbjorn.samuelsson_at_gmail.com)
Date: 10/27/05

  • Next message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:200 - Updated apache-mod_auth_shadow packages fix security restriction bypass issues." 
    Date: Thu, 27 Oct 2005 20:28:36 +0200
To: full-disclosure@lists.grok.org.uk

    Hi

    I stumbled upon a security fault (discovered it by mistake) this Sunday
    in a perimeter security device.
    The day after I contacted the manufacturer and informed them about it
    and later that evening the acknowledged the problem and they where able
    to reproduce it.

    My question is what is good ethics for me to continue with this? Sense I
    discovered it by mistake, and everyone can do the same thing and
    everyone can reproduce it. And it is a perimeter security device
    providing remote access from a large manufacturer. And might be a known
    problem by others than the manufacturer, how ever the product has only
    bean on the market for about 2 months.

    What I want a resolution so the device we bought to provide us with
    remote access and security shall work securely and that the company
    shall inform other owner of there products about the problem so they
    wont have the same security breach.

    BR Tobbe

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:200 - Updated apache-mod_auth_shadow packages fix security restriction bypass issues."