Matasano Chargen - Latest Comments in Vulnerability Reporting in a Web 2.0 World

Re: Vulnerability Reporting in a Web 2.0 World

Money and lawyers — Fri, 01 Jun 2007 20:00:04 -0000

Try contacting their funding source or, better yet, their lawyers. These days, those folks understand the words "risk to brand", etc.

Re: Vulnerability Reporting in a Web 2.0 World

Dave G. — Thu, 31 May 2007 11:04:38 -0000

stacy:

In this situation, I dont think the cost of one customer is going to motivate anyone. Besides, not using products and services everytime there is a security issue that isn't resolved to my satisfaction would basically cause me to stop using computers. :)

Re: Vulnerability Reporting in a Web 2.0 World

stacy — Mon, 28 May 2007 13:11:48 -0000

So maybe you should "vote with your wallet" and look for an alternative application.

If you don't consider the vulnerability serious enough to not use the application, why should they think it is serious enough to expend resources to fix?

Re: Vulnerability Reporting in a Web 2.0 World

Ryan Russell — Sun, 27 May 2007 04:03:09 -0000

Picking functionality over security there, Tom? ;)

Re: Vulnerability Reporting in a Web 2.0 World

Thomas Ptacek — Fri, 25 May 2007 18:47:29 -0000

They could get vindictive and kick us off their application! No thanks!

Re: Vulnerability Reporting in a Web 2.0 World

Ryan Russell — Fri, 25 May 2007 12:58:16 -0000

Those of us who tend a little more towards the punitive end of the spectrum would tend to say that at this point, you name the company (if not the vuln.)

Yay! Free education for everybody...

(Or perhaps in your subtlety, you're going to point them at this entry and ask nicely one more time... if so, where's the hash of your advisory?)

Re: Vulnerability Reporting in a Web 2.0 World

LonerVamp — Fri, 25 May 2007 11:20:11 -0000

I think some Web 2.0 companies have not transitioned internally from being short-sighted to longer-sighted. In the short term, unless you're actually selling security, the impetus is to get the product viable and functional. Security just can't be a cost or detractor from that. Longer-term, devels can start thinking about security and doing things the right way, once a little bit more of their future is "secured." (Pun intended!)

Others just like to build things...maintenance (and beefing up security) are sometimes not what they want to do. :\

Not saying that's right, but...damnit... :)

Re: Vulnerability Reporting in a Web 2.0 World

dre — Fri, 25 May 2007 11:05:54 -0000

secure software contracts annexes based on owasp/mitre/wasc/samate/sans-ssi (probably in that order) certifications are the future of web 2.0 b2b.

unfortunately, only sans-ssi exists right now, although owasp has this:
http://www.owasp.org/index.php/OWASP_Secure_Sof...
and mark curphey got like $200k to work on a project called "owasp ceritification" a few weeks ago which he claims will replace pci. pci-dss and texas are going to hell in a handbasket as they well should.

i talked about this at chisec last night

Re: Vulnerability Reporting in a Web 2.0 World

Thomas Ptacek — Fri, 25 May 2007 10:34:23 -0000

This company didn't treat the vuln report as a bug. They treated it as a FEATURE REQUEST.

Re: Vulnerability Reporting in a Web 2.0 World

Dan Weber — Fri, 25 May 2007 10:30:46 -0000

Unlike software companies, I'm really paranoid about reporting vulnerabilities to websites. The best you can reasonably hope for is that they won't try to sue. :(

This is maybe about where software companies were 15 or 20 years ago.

Re: Vulnerability Reporting in a Web 2.0 World

Jordan Wiens — Fri, 25 May 2007 10:12:29 -0000

I notified a website back in October that they had multiple serious security flaws. Including some really stupid ones -- among them, "authentication" resulted in you getting a cookie set to your username -- change the cookie, become another user.

Their response was along the lines of "oops, yeah, we should totally fix that!". I followed up two months later, never heard back and forgot about it until now. Checked again, and they're still vulnerable.

*sigh*

Re: Vulnerability Reporting in a Web 2.0 World

magnus — Fri, 25 May 2007 10:06:57 -0000

At least they didn't take you to court... yet. ;-)

Re: Vulnerability Reporting in a Web 2.0 World

chrisw — Fri, 25 May 2007 09:49:26 -0000

What we need is disclosure 2.0 guidelines for web 2.0 software. Dave did the right thing by informing the software company. The software company did the wrong thing by treating this as a bug. Perhaps there should be a "hall of web 2.0 shame" for companies that don't fix vulnerabilities reported to them in a timely way.

Perhaps we need a place where researchers like Dave can submit a posting saying they have informed Vendor X of Vulnerability Y on Date Z with CVSS score of A. Then Vendor X can get this taken off the list by saying they fixed it. If it wasn't really fixed Dave can inform the list and it goes back on. Use web 2.0 to police web 2.0.

-Chris

Re: Vulnerability Reporting in a Web 2.0 World

Daniel — Fri, 25 May 2007 04:04:02 -0000

Web 2.0 + Security was like DotCom + Logic, they aren't mean't to be :)