So, I discovered a vulnerability in a vendor’s software which I reported to them on January 18, 2008 to which they responded the same day.
All well and good.
Yes, it’s that blasted disclosure discussion again. Now, of the vendor’s I have dealt with up until now (save one other) the turnaround time has been phenomenal. They have been all easy to work with and I was more than willing to accommodate their time lines so that they could get their products fixed up.
No problem.
Well, I got this email from them today. Let’s call them vendor “X”. In response to my email checking in about our previously agreed upon June release,
The update from the dev team is that they now expect that we will have all updates for impacted products available in November. It turns out that we will have to update all supported products which use [the software in question], and that the fix will need to be localized for our international customers.
I should point out that they indicated that they would have to fix the international versions of said software when they wrote me back in January.
I have to say my good will is sparse at the moment.
Granted this will affect a wide array of their products but, November? Am I being too harsh? I’m wondering whether or not to post it anyway. Not a path that I would normally consider as I like to try and play nice but, almost a year to fix the problem seems rather excessive.
What would you do?
Perhaps disclose it vaguely. To clarify, outline the repercussions, but don’t distribute exploit code.
It could be argued that you are just making it easier for unskilled individuals to go around hacking systems, however, just because no one has released your 0day yet, does not mean you are the first to discover it (not that I love you any less). Anyone skilled enough to recreate the exploit based on a vague description is probably skilled enough to find it on their own regardless of a hint. There is a big difference, in terms of attackers, between saying, “there is a flaw in that may allow an attacker to execute arbitrary code on the system,” and handing them Metasploit. Perhaps it’d be more appropriate to say, whether you disclose it or not, the flaw still exists.
Your time frame sounds reasonable. If you were to grab your ankles, they would have no need to patch, ever. This is because they believe that if they keep asking you nicely, you will continue to comply. This is another major problem with vendors, we pay them for what can often amount to shitty software/support. The message must be made clear, though not in a malicious (or vindictive) way, that the security community has to clean up their messes and pushing back patch dates is not a good way to make your product popular or trustworthy.
./endrant.pl
I so agree with Brooks,
Don’t distribute exploit code.
Granted using this software exposes you to having the vulnerability used on you, I would ask them to inform you when its fixed, as you will not be using the software until it is.
Of course, maybe customer satisfaction may work to get it fixed faster, contact their customer support and ask for a refund.
@ Brooks & Doug
No worries. I’m not the type release working exploit code at any rate. That’s just not my thing. I did however receive another update from vendor “X” today and I now fully understand the delay. It’s amazing what a little more detail will do for someone’s frame of reference. The short answer is that I kicked over a much bigger ant hill than I had imagined. So, I’m going to play nice and wait until November. That is my hard stop. I’ll release the advisory at that point come hell or high water.
Thanks for your comments. I appreciate when folks take the time to weigh in.
cheers!