[VIM] Responsible Disclosure Article
jericho at attrition.org
Sat Sep 16 08:49:34 EDT 2006
: 1. Vendors need time to find, address, and fix the problem. During this
: period all systems all vulnerable, which seems to be alright assuming
: the researcher is the only one who knows about the vulnerability. So,
: how often do you think this assumption is false? Let's take the most
: recent Apple advisory for QuickTime (APPLE-SA-2006-05-11) - for
: CVE-2006-1249 concerning the integer overflow in FlashPix images, Apple
: credits two different, probably independent researchers. If two people
: reported to Apple how can we be certain that no one else is already
: active exploiting it?
On my overly long, overly backed up 'todo' list..
I noticed a year or two ago that some of the big vendors (I think it was
'Real' originally) were reporting multiple researchers discovered an issue
in the advisory. This made me wonder how often that occured, where
multiple creditees were recognized for a big issue. I had planned to dig
into that more for a blog piece, then give a firm challenge to
anyone/everyone to prove me wrong when I said that just because someone
'privately' reported a vuln to a vendor (MS loves that term), doesn't mean
that bad guys aren't currently abusing the same issue. If two researchers
(or more) can find the same bug, and both can sit on it for months at a
time.. then we would be stupid to believe it stopped there.
More information about the VIM