What Vendors need to know about vulnerability reporting
From: Russ (Russ.Cooper@RC.ON.CA)Date: 01/04/02
- Previous message: Matt Conover: "AIM addendum"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 4 Jan 2002 08:59:54 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
If you are a Vendor of a computer product related to MS operating systems
which may have a vulnerability, come under attack, or in some way be
exploited...and you'd like to ensure that you find out about such a
vulnerability prior to the public-at-large...pay attention.
From the perspective of NTBugtraq, discoverers of vulnerabilities are
perfectly justified publishing such things if you have not made it
abundantly clear how they, or I, can contact you. Contacts for security
vulnerabilities should not be your normal support channels, nor should they
be handled through your reception, sales, or other general numbers or email
addresses. Discoverers, and I, want to speak to someone who will be able to
appreciate the gravity of a vulnerability which might affect all of your
users, or as in the case of the AIM vulnerability, potentially 100 million
consumers world-wide.
To this end, one of the following should be done by all Vendors;
1. On your Home Page, "About Us" page, or "Contact Us" page, provide a clear
link to a security reporting contact. This must be either an email address,
or telephone number. 1-800 numbers are good, but remember that many of them
cannot be called from outside of the U.S. and not all discoverers are in the
U.S.
Web forms are not acceptable. Vulnerability information does not always fit
neatly into a form, and forms don't provide any sense that they are being
received or read.
Automatic responses are fine, but make sure they provide a unique tracking
number for follow-up, and a definitive amount of time (no more than 2
business days) before an actual human created response will arrive (e.g.
"Thanks for your report, we've assigned it number 123-ABC, and we will be
contacting you directly with 2 business days to provide you with our initial
response.")
Nobody says you have to fix the problem in that period of time, but if
someone from your company hasn't read the message and provided some sort of
response to the discoverer within those 2 business days, discoverers are
perfectly justified in going public with their information.
Much of this has been documented in the NTBugtraq Disclosure Policy for more
than 3 years now, at http://ntbugtraq.ntadvice.com/policy.asp
2. Join the NTBugtraq Vendor Awareness Network,
http://ntbugtraq.ntadvice.com/ntbugtraqvan.asp
The NTBugtraq VAN is an attempt by me to provide Vendors with an alternative
to handling initial vulnerability reports themselves. Discoverers can be
pointed to NTBugtraq from the Vendors website after providing NTBugtraq with
their contact details. When a report is received for a product relating to
an NTBugtraq VAN Member, NTBugtraq then makes contact with the Vendor after
vetting the report. VAN Members can rest assured that the messages sent to
them from NTBugtraq are reasonable claims of vulnerabilities, and not simply
support requests.
Discoverers who send messages to NTBugtraq can rest assured that NTBugtraq
will make an effort to contact the Vendor involved. If the Vendor is listed
on the NTBugtraq VAN Members page,
http://ntbugtraq.ntadvice.com/vanmembers.asp, then it means that NTBugtraq
has a direct contact at the Vendor who is responsible for security issues.
NTBugtraq does not seek credit in this process, we merely want to ensure
that the public is better protected, and that discoverers are able to get
their issues to Vendors.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Voice: 1-705-878-3405
Email: russ.cooper@rc.on.ca
============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
============================================================================
- Previous message: Matt Conover: "AIM addendum"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
