--- Begin Message ---
|
Subject: |
Administrivia |
|
Date: |
Sun, 5 May 2002 20:27:55 -0600 (MDT) |
Hello,
I hope you've all had a pleasant weekend.
Over the past few months, the number of posts to Bugtraq discussing
cross-site scripting and other vulnerabilities in websites/online
services has increased. To be consistent with a precedent set
before my time, I have approved them when I felt there was some
risk to users.
It didn't feel right, however. While there should be a forum
for discussing these vulnerabilities, I do not believe that
Bugtraq is it. Recent feedback from subscribers suggests
that many of you agree. This has been brought up before [1].
I would like to, with your help, make a final decision (and adjust the
charter accordingly).
Therefore, I am proposing the possibility of a new list for
discussion of vulnerabilities in online services and websites.
This list could cover:
- Cross-site scripting vulnerabilities in websites
- "Other" vulnerabilities in websites/online services:
application bugs, design errors, etc.
- Privacy issues related to online services and websites.
What would not be covered on the list are:
- New classes of attacks that are not specific to any single
website or service. This information would belong on a list
such as Bugtraq.
- Vulnerabilities in web applications that may be
downloaded or purchased. Again, more appropriate for a list
like Bugtraq.
There are a few things that I am unsure about:
1. Disclosure
Responsible disclosure will be encouraged. Once
a vulnerability in a service or website has been fixed, it does
not exist anymore. If an issue has been corrected by a vendor
prior to the details being published, is there then a point in
publishing? With software or hardware, it can be argued that
details should be made public to an uninformed (and vulnerable)
public.
Some of the arguments that information should be published after
the issue has been fixed are:
a) To inform the users that they may have been affected sometime
before it was fixed -- "everyone, check your credit card bills".
b) Establish track-records for websites and services.
2. Publishing of vulnerabilities that may result in the website
or service provider being damaged or compromised.
This is a tough one. It is not necessary to point out the
obvious ethical issue here, however there is a valid counterpoint.
The goal of this list would be to provide a forum for disclosure
of vulnerabilities that may ultimately affect the users of online
services. The problem is that there is overlap between
vulnerabilities that directly affect the hosts/network of the
service or website and those that affect users.
For example, a website may somehow allow unauthorized
access to the underlying database. In this case, both the
server and sensitive user data stored on it are at risk. So
should this information be made public? What if the
site administrator is not responsive to contact attempts and
it isn't fixed?
If the public is not made aware, they are at risk while
the problem persists. If the individual publishes on
the list, malicious parties may use the information to
directly break into the website/service network. Also,
publishing the vulnerability may put pressure on an
unresponsive vendor to fix it.
One possibility is to limit the information in these types of
posts. Of course, this does not solve the problem. First of
all, knowledge that a vulnerability exists is enough for
attackers to seek them out. It is naive to assume that malicious
individuals won't take the time to find the specifics on their own.
There's also the problem of verifying reports: does the moderator
review the details and confirm the existence of the vulnerability,
then allow a post lacking precise details?
If this does not occur, anyone may post vague reports alleging all
sorts of vulnerabilities. Facilitating this is irresponsible
and potentially damaging to the websites/services.
(As it stands, I do not approve such posts on Bugtraq. I have
bounced the few reports about vulnerabilities in specific
websites sent to the list.)
--
I am looking for your comments on this matter.
Here's the basic question:
Do you feel that disclosure of service/website vulnerabilities is
appropriate on Bugtraq? Would you rather they be announced on
a separate list?
If you like the idea of a separate list, what are your thoughts
on some of the associated issues?
One last thing to keep in mind is that Bugtraq has evolved into a
general 'watchdog' forum. For this reason, maybe these issues do
belong on the list.
I would love to hear what you think. To keep noise down, I won't approve
any feedback on the list. Please reply to me directly.
[1] http://online.securityfocus.com/archive/1/50865
Thank you for your time.
Regards,
Dave Ahmad
SecurityFocus
www.securityfocus.com
--- End Message ---