The Russian security firm Intevydis has announced that they will be releasing a number of security vulnerabilities that have not yet been fixed by the manufacturers, all of which have already been notified. According to a interview with Krebs on Security, the founder is sick of notifying the vendors with no fixes being released.
The debate around the discovery of security weaknesses focuses on two distinct areas: do you announce to the entire world the weakness you found (and a way to fix it or resolve it), or do you keep it secret and only notify the vendor? The first is called “full disclosure” and is generally only used by individuals; the latter is called “responsible disclosure” and is the normal method for most security firms.
One question often raised is this: are users best served if the problem is kept secret while the vendor fixes it, or when users (and crackers and the public at large) are notified so they can work around it?
Unfortunately, vendors sometimes take several months or years to fix vulnerabilities, during which time the users have no idea they are vulnerable – and one hopes, crackers have yet found the vulnerability.
Underlying all of this is the important idea that system administrators must keep their systems up-to-date on the most recent patches; systems are often hacked through vulnerabilities that are old and have been fixed by the vendor for months or years.
One thought on “Russian Security Firm to Release 0-Day Vulnerabilities”
I think you should first contact manufacturers, tell them what’s wrong and wait for their answer. You should keep mailing them for a time, say 2 weeks/1 month depending on the severity of the security issue and then if you haven’t got any response or the company plain plays the fool you should make public in every website/blog/facebook/twitter what you found documenting your hard time when trying to make the company patch the problem.
I think public exposure is the best way to have some *ssholes make things right – large corporations, politicians, you know =)
I often remember that Dilbert cartoon when Dilbert reaches his boss and tell’s he about a new security hole Dilbert just discovered in their ready to ship product. Then his boss shout a lot of blatant much like a politician would do making Dilbert’s blood starting to boil and leaving the office frustrated and wanting to kill his boss.
Finally his boss says “ah! I fixed the internet” lol, that’s how most well-known respected companies works 😛