Comments on: Reporting Vulnerabilities is for the Brave

By: Brave Professor Teaches New Vulnerability Reporting Trick - /Cry

Brave Professor Teaches New Vulnerability Reporting Trick - /Cry — Sun, 03 Jun 2007 23:27:12 +0000

[...] trick: don't; that is basically the gist of what Pascal Meunier, a professor at Perdue, has to say after his brisk run-in with the law following the time that he [...]

By: Digitalia » Links For Tuesday 23rd May 2006

Digitalia » Links For Tuesday 23rd May 2006 — Mon, 29 May 2006 11:51:42 +0000

[...] Reporting Vulnerabilities is for the Brave Simple, clear demonstration of how arse-backwards authorities are in dealing with people who report security flaws in IT. Report a problem, and suddenly, you become top of the suspect list for any criminal access. Anyone else see the flaws in that plan? (tags: security politics) [...]

By: M1kael

M1kael — Sun, 28 May 2006 13:24:50 +0000

this is very dependent on the vendor hosting the website or the product found vulnerable. You can’t lump all together anymore than you can say that ALL vulnerability researchers are blackhat “crackers” looking to cash in on their findings or do nefareous activity. It might help to check on the vendor’s site to see if they have a security address, their vuln handling policy clearly posted, an address to post security information, etc. Many do actually and abide by those policies

By: wkwillis

wkwillis — Sat, 27 May 2006 08:32:43 +0000

This is what big, nasty, class action tort lawsuit lawyers are for.
You have to make the companies more afraid of not fixing the flaw than of the work of fixing it. You have to convince the companies that accusing the reporter is a bad idea.
The first time some company that has punished a reporter is taken down by a hacker and then bankrupted by a tort lawyer is when we will have companies thanking you for pointing out a vulnerability.
It’s not that big, nasty, class action tort lawyers are good, it’s that the alternative is worse.

By: ++Don

++Don — Fri, 26 May 2006 16:05:15 +0000

@Mulhall:
>1 The police will suspect you
>So what?

So, do you like having your finances and phone records snooped through, or having your house ransacked and your property seized, or being arrested? Law enforcement is a very, very blunt instrument, and anyone with any sense of self-preservation will fear it. I will never, ever trust the police to do the right thing if I’m the object of investigation.

>It seems to me that the problem is your lack of confidence
>in the justice system of your society

Precisely.

By: Andrew

Andrew — Thu, 25 May 2006 09:27:50 +0000

To use Joe from Australia’s analogy of the office building: If you were to find a back door of the bulding lying wide open, you probably wouldn’t go inside. If it obviously left open by mistake, and SHOULD be shut you might stick your head around the door and shout “hello”, but more likely you’ll go to the front door, and tell the receptionist, or security guard.

if it was an office, I doubt the company would accuse you of opening the door, nor of intruding thru the door, so why should a network be any different. Ability doesn’t automatically mean action.

By: PeterP

PeterP — Thu, 25 May 2006 08:34:39 +0000

@Mulhall: You obviously think that the prisons are ONLY full of guilty people.

By: Mulhall

Mulhall — Thu, 25 May 2006 07:44:56 +0000

Why are you afraid of becoming a suspect?
A suspect is not a convict.

Pascal Meunier has given two reasons for you to be afraid:
1 The police will suspect you
So what?
2 They’ll want to speak to the student who found the vulnerability?
So what?

You’ve found a vulnerability and you feel it’s your civic duty to report it, but you don’t feel it’s your civic duty to help the police follow it up?

It seems to me that the problem is your lack of confidence in the justice system of your society, not in the way vulnerability reports are handled.

By: PsicoIT Support

PsicoIT Support — Wed, 24 May 2006 23:00:24 +0000

Toda Buena Acción Será Castigada ®

Tal como lo detalla Pascal Meunier (un científico del Center for Education and Research in Information and Assurance) en su blog, la tarea, casi siempre "de onda", de reportar vulnerabilidades en software o sit …

By: meneame.net

meneame.net — Wed, 24 May 2006 12:25:03 +0000

Reportar vulnerabilidades es para valientes

Si encuentras comportamientos extraños en un sitio web, no intentes confirmar que es vulnerable, no se lo cuentes a nadie ni intentes fardar, olvídalo, borra cualquier evidencia que implique que conoces el problema, no eres responsable de ese sitio w…