Vulnerability Nondisclosure
A nondisclosure policy within a company means that whomever signs the
nondisclosure agreement agrees to keep the vulnerability information within that
organization tightly contained so that no one outside of the organization, especially
the general public,
ever learns of the existence of product vulnerabilities.
Some vendors and security institutions try to promote a policy of nondisclosure.
They feel the need to control vulnerability information and only trusted
individuals receive information about product or system flaws. In this way, businesses
believe
they
can protect
vulnerable
systems until a fix is available.
Road to Hell Pavement Company, Inc.
Vulnerability Disclosure •
The seemingly timeless debate regarding vulnerability disclosure was once
something I loved to follow as an outsider. I had strong opinions, but no
real relevance to them, as I had neither discovered one nor felt it likely
that I would. All of that changed a couple of years ago, in the midst of
some work for a large organization that must remain unnamed due to an
nondisclosure agreement that is still in effect. I headed up a small team
whose task was to find any and all issues with a virtual private network
(VPN) product that was about to be implemented. Unfortunately, not only
did we find problems, we found many problems, and did not even finish
examining all the things we wished to check before time (and funding) for
the project ran out. The vendor addressed the first three issues which
were found (all of which within two days, before we even got into reverse
engineering, I should add), which is the good news. The bad news is that
it is the overwhelming consensus of the team that more problems are
lurking in the software, both at the server and the client end. At one
point, one of those fears was confirmed; a friend of mine complained to
me one day, about a year later, about how someone could just copy the
software VPN client from one machine to another, and all the information
(save the password) needed to log into the VPN remotely would follow
with that one directory; this is abhorrently bad security for such an application,
and it was sheer torture keeping my mouth shut as I listened.
Unfortunately, the client has not given permission to disclose; they
never will, in all likelihood. For whatever reason, the client follows the
vendor’s lead on the matter, and thus is opposed to any disclosure. This
Continued
www.syngress.com
290_Ethics_IT_03.qxd  5/10/04  11:40 AM  Page 80
80 Chapter 3 • Vulnerability Disclosure
is unfortunate in the greatest extreme, as I have watched many large and
critical organizations implement the software over the past two years,
undoubtedly unaware of what may occur if a black hat were to discover
the weaknesses that still hide within. Just asking nicely about disclosing,
well after the known vulnerabilities were fixed, has brought the threat of
a lawsuit from the client; there is little doubt what would occur should
one of us decide to disclose spontaneously. But it is no small thing to
remain silent as to the problems that can affect others, either.
Rob Shein
EDS – Washington, D.C.