Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reporting Vulnerabilities Is For The Brave

Posted by ryuzaki0 on from the cya-first-and-always dept.

An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"

6 of 245 comments (clear)

  1. Depends on who you report to by overshoot · · Score: 4, Insightful

    All things considered, it's a whole lot safer (not to mention more profitable) to notify the black hats about vulnerabilities rather than the vendors or the public.

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
  2. And that's why I use open source by disasm · · Score: 5, Insightful

    Open Source projects don't interrogate and try to prosecute you if you find a security problem and report it.

    1. Re:And that's why I use open source by Rakishi · · Score: 3, Insightful

      Yup. First thing that came to me when I saw this was: "God, this is a great counter when people claim OSS is less secure."

  3. Anonymous Email by Anonymous Coward · · Score: 3, Insightful
    You see, it's simple. Even if Bob's Software knows about the flaw in Program, they can atleast say with a straight face that they had no idea it existed. Once you announce in publically, they have been officially notified that the flaw exists. At that point, anything serious that happens, say Program causes some other company to lose lots of money, puts Bob's Software as a responsible party for allowing this known flaw to exist.

    What you did was open the door litigation against Bob's Software for negligence. Bob's Software doesn't want the flaw to become public. When you stand up and point the finger at Bob's Software, they will be looking for someone to pass on the litigation fees to, so you get sued. Not only that, someone needs to be made an example of so others don't try it in the future.

    Anonymous email accounts are easy to come by. Send an anonymous announcement to the Full Disclosure mailing list and be done with it. Otherwise you're risking the legal bills of fighting whatever company decides to sue you.

  4. Posting anonymously by Alien54 · · Score: 3, Insightful
    I think a vulnerability can be reported anonymously quite safely (for a good deal of people anyway).

    of course, this means that everyone else finds out about vulnerabilities first. This might not be exactly what they wanted when they make it illegal to report.

    --
    "It is a greater offense to steal men's labor, than their clothes"
  5. Re:Don't ever report a flaw! Ever! by jonfr · · Score: 3, Insightful

    Learn to speak my language (Icelandic), then I am going to take you serius.