RE: Follow up on "How much do you disclose to customers?"

From: Rob Shein (shoten_at_starpower.net)
Date: 01/08/04

  • Next message: Christopher Downs: "Re: VMWare and which linux distro?"
    To: <ethanpreston@ziplip.com>, <pen-test@securityfocus.com>
    Date: Wed, 7 Jan 2004 18:40:37 -0500
    
    

    That slashdot post talks about something entirely different. The vendor in
    question didn't come up with a list of vulnerabilities that were bad...they
    pointed at the sole security engineer as the vulnerability himself.
    Furthermore, they then moved in to replace him. This is rather a no-no in
    terms of the OSTMM, for obvious reasons. It's one thing if a company reacts
    or even overreacts to a report of factual findings (an open port is an open
    port, regardless of office politics or the sales quota of a vendor) and
    fires someone, it's another thing if the company producing the report goes
    so far over the line as to state that an employee of another organization is
    to blame for insecurity. I don't feel that if this vendor got sued that I'd
    be nervous about legal risk when handing over a report done my way.

    > -----Original Message-----
    > From: ethanpreston@ziplip.com [mailto:ethanpreston@ziplip.com]
    > Sent: Tuesday, January 06, 2004 5:21 PM
    > To: pen-test@securityfocus.com
    > Subject: Follow up on "How much do you disclose to customers?"
    >
    >
    > The list previously hashed out the pros and cons of informing
    > the client's entire personnel about the coming pen-test. One
    > of the issues that came up was the potential for the client's
    > employed security staff to use the advance notice to game the
    > results and skew the test results:
    > http://seclists.org/lists/pen-> test/2003/Dec/0105.html
    >
    > How
    > does the pen-test community on
    > this list deal with possibility of legal reprisal from the
    > client's employees? No matter what contractual liability
    > limitations you can negotiate with the client, that won't
    > extend to an employee that gets canned because one's report
    > paints them in an incompetant light.
    >
    > I think there's a slashdot post on this topic (from the other
    > side), where at least some of the posters start muttering for
    > legal action.
    > http://ask.slashdot.org/article.pl?sid=03/12/19/0456221&mode=t
    hread&tid=126&tid=163

    Cheers,

    Ethan

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Christopher Downs: "Re: VMWare and which linux distro?"

    Relevant Pages

    • RE: Follow up on "How much do you disclose to customers?"
      ... > question didn't come up with a list of vulnerabilities that were bad...they ... > or even overreacts to a report of factual findings (an open port is an open ... regardless of office politics or the sales quota of a vendor) and ... > so far over the line as to state that an employee of another organization is ...
      (Pen-Test)
    • [Full-disclosure] Re: Advisory 18/2005: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
      ... vulnerabilities, it only makes sense that both ... I would accept the explanation of a slipshod upstream fix pretty easily, ... declared my initial report to be fixed (rather than taking the hostile ... A vendor issues an update without technical details in which two fixes ...
      (Full-Disclosure)
    • [Full-Disclosure] its all about timing
      ... Why do people look for vulnerabilities? ... They publish vuln info because they have customers that pay (or ... Full Disclosure issue must take into account the ... report vulns primarily to the vendor, in the hope that the vendor will ...
      (Full-Disclosure)
    • Re: ROI (ROSI?) on IDP devices
      ... vulnerabilities go all the way up the application stack. ... after 2 to 7 days by IPS vendor. ... I'd say that's a useless IDP system, ... The signatures are lagging too far behind the vulnerabilities. ...
      (Focus-IDS)
    • [Full-disclosure] Vulnerability Type Distributions in CVE
      ... Vulnerability Type Distributions in CVE ... Table 4 Analysis: Open and Closed Source ... lead to publicly reported vulnerabilities, ... are in the top 3 for OS vendor advisories. ...
      (Full-Disclosure)