Re: Vulnerabilities in some SCADA server softwares
While I support full disclosure, I also advocate responsible disclosure. Th=
e public _has_ a right to know, but in this case, they can play no significa=
nt part in remedy or mitigation unless they are employees of the vendor or t=
he customer. I believe the best course of action for a SCADA vulnerability w=
ould be to let the vendor know first, let them know you intend to disclose p=
ublicly after a reasonable time, then release to the potential customers in a=
responsible time thereafter, and finally the public (admittedly could be v=
ery arbitrary per researcher). This way you can hopefully get the fix start=
ed and let the security-conscious vendor notify customers how to defend in t=
he interim for defense purposes _before_ you let a potential attacker in on t=
he problem. Just my $0.02...
Sent from my mobile launching platform...
On Mar 22, 2011, at 16:24, Michal Zalewski <lcamtuf@coredump.cx> wrote:
>> Analogy: Car owner has his car speed up ending up in almost near
>> catastrophe. Car owner goes to media outlets condemning the
>> manufacturer: "How could you be so reckless! Thousand of lives..."
>> Reality: Car manufacturer was never made aware of the issue. How do you
>> propose a manufacturer fix an issue?
>=20
> Yes, the discussion definitely needed a car analogy...
>=20
> The author decided to follow a particular route, probably not out of
> malice, but because he believes that his responsibilities to inform
> the public outweigh the responsibility to assist the vendor. You
> wouldn't do the same, but you haven't discovered these bugs.
>=20
> Unless your view is that you would rather not know about about
> security problems at all, than see a disclosure mode you do not agree
> with, I do not think it's fair to lash out against the reporter; and
> it's not particularly fitting to do so on BUGTRAQ.
>=20
> /mz
討論串 (同標題文章)
完整討論串 (本文為第 5 之 23 篇):