RE: Question about exploit exposing SSN & user info

From: Michal Bucko <michal.bucko@eleytt.com>
To: bugtraq@securityfocus.com
Cc:
Subject: RE: Question about exploit exposing SSN & user info
Date:


Hello,

I think you chose the right list for such a question. 

I have had various experience working with different companies in
this field - I've led HACKPL Security Dep., and we receive plenty
of information about various security issues. 

I think it is quite common that companies try to behave as if nothing
really happened, or as if the issue wasn't that important. From my 
experience, huge a lot of companies fail to inform their clients of 
problems when the issue is patched. If you want to make the information
public, make sure everything is _really_ patched, then ask the company 
to inform their Clients (if they don't want to act so). If the company 
says:

'Nothing baaad really happened. This and this could be done. Our clients
are safe thanks for Our Gosh-So-Perfect Security Program. Thank You
for sharing information with our Security Team.'

then, in my opinion, you are free to inform the public what really 
happened as you intention was to bring true information to public in 
order to make the community safer and _aware_ of the problem. (I would
first inform the company of my plans, and if they didn't change their
decision, I would reveal the information about the issue).The issue might 
have affected many people, and people have full right to be aware of 
eventual problems. 

Finally, not only do many companies fail to react properly, but also fail
to act at all. I have experienced many situations when I informed of the
problems many times, and there was no response. Fortunately, the majority
of serious companies solves the problems and treats clients with enough 
respect (to inform of the problem). 



One more thing, if you feel like skating on thin ice, provide additional 
information on my personal email: michal.bucko <at> eleytt <dot> com.
I think we could find a good solution for your problem. Before writing,
be sure to check on the legislation in your country (it would be nice 
if you had any lawyer friend who could advise you)


Cheers!

mb





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.