Jump to content

While I Was Working On An Importer...


Cody

To disclose or not to disclose?  

29 members have voted

  1. 1. Should I disclose vulnerabilities to the software vendor?

    • Yes, it's the right thing to do
      18
    • Yes, even though they will pretend like it never happened
      6
    • No, the fact that these are so obvious means they don't give a crap about their software so why should you?
      3
    • No, may I please have teh exploitz?
      2


Recommended Posts

Well, it's been more than 2 weeks and still no patch from them.

 

I would think, given the severity of the issues we presented to them that they would have released a patch by now. Perhaps those 34 exploits have caused too much work for them? B)

 

I'd say at this point hand it off to someone like Rack911 or one of the other trustworthy security firms.  Let them do their thing and, if appropriate, post on WHT.  If you make a public disclosure, it would immediately be shouted down as a conflict of interest.

Link to comment
Share on other sites

I'd say at this point hand it off to someone like Rack911 or one of the other trustworthy security firms.  Let them do their thing and, if appropriate, post on WHT.  If you make a public disclosure, it would immediately be shouted down as a conflict of interest.

 

Isn't that kind of beating a dead horse?  With everything that has happened with them and continuing to happen... I'm not sure what more needs to be said.  It's great for our devs to underline security when it comes to Blesta for those who care about it, which should be everyone, but anything beyond that would just start to look a little foolish.  As Cody mentioned he reported the exploits as well as others obviously since they are issuing security updates to the point that it's driving people nuts apparently.  Either people get the picture and move on or they tighten up over time whether they're reporting back to people's submissions or not.

 

It wouldn't take very much research at all to get a feel for how secure their software is or isn't.  If people won't take basic consideration for their own business then there's no real point in going on a crusade to inform them.  Until then grab some popcorn and let's see what happens.

Link to comment
Share on other sites

Isn't that kind of beating a dead horse?  With everything that has happened with them and continuing to happen... I'm not sure what more needs to be said.  It's great for our devs to underline security when it comes to Blesta for those who care about it, which should be everyone, but anything beyond that would just start to look a little foolish.  As Cody mentioned he reported the exploits as well as others obviously since they are issuing security updates to the point that it's driving people nuts apparently.  Either people get the picture and move on or they tighten up over time whether they're reporting back to people's submissions or not.

 

It wouldn't take very much research at all to get a feel for how secure their software is or isn't.  If people won't take basic consideration for their own business then there's no real point in going on a crusade to inform them.  Until then grab some popcorn and let's see what happens.

 

I see your point, but I disagree with it.  There might not be any business incentive to passing it on, just as there was no business incentive to responsible disclosure.  Disclosing it to a trusted third party (like Rack911) is not only an ethical choice, it also may help prevent another outbreak like those that plagued WHMCS last month.  WHMCS seems to have a history of not responding to security threats until they're made public, so putting it in the hands of a neutral-and-trusted third party is doing a tremendous service to the community.

 

I don't buy into the "that's their (people who use WHMCS) own dumb fault, let 'em burn" mentality.  Never have, never will.

Link to comment
Share on other sites

We considered sending to Rack911 so they can follow through on confirming resolution, and so they can back us up in the event it's swept under the rug or dismissed. In this case, we've opted to trust they will do the right thing, even though they haven't in the past. And if they don't do the right thing, and silently fix the issues instead -- at least their customer base will be more secure as a result, which is the most important part.


Either way, we've done our part.

Link to comment
Share on other sites

We considered sending to Rack911 so they can follow through on confirming resolution, and so they can back us up in the event it's swept under the rug or dismissed. In this case, we've opted to trust they will do the right thing, even though they haven't in the past. And if they don't do the right thing, and silently fix the issues instead -- at least their customer base will be more secure as a result, which is the most important part.

Either way, we've done our part.

Yeah this was the option I was  thinking of and since not on there lol, I had no clue really how to vote.

Link to comment
Share on other sites

I don't buy into the "that's their (people who use WHMCS) own dumb fault, let 'em burn" mentality.  Never have, never will.

 

You act as if they don't already know and trying to save people that don't necessarily want to be saved.  The bugs were reported and we're talking about it in the open.  They made national headlines.  What more do you want?  

 

There seems to be a lot of emphasis around this Rack911 business and looking more like a publicity stunt.

Link to comment
Share on other sites

You act as if they don't already know and trying to save people that don't necessarily want to be saved.  The bugs were reported and we're talking about it in the open.  They made national headlines.  What more do you want?

 

You understand that this is a bug and/or exploit that hasn't been publicly disclosed, right?

 

Because I'm not sure why you're so against getting the word out.

 

There seems to be a lot of emphasis around this Rack911 business and looking more like a publicity stunt.

 

Are you active on WHT?

Link to comment
Share on other sites

There seems to be a lot of emphasis around this Rack911 business and looking more like a publicity stunt.

 

With all due respect, Ken, only some random troll would think the security work we do is for publicity.
 
In the last year alone we have found in excess of 200 security vulnerabilities in almost every popular hosting application and every popular hosting control panel. We are the reason cPanel assembled a new security team and the sole reason their backup system is being rewritten from scratch. Not only have we found all of those security vulnerabilities which have/are being handled responsibly, but we came up with a few new exploit techniques previously unheard of!
 
I fail to see how you think we are doing all of this for "publicity" unless you believe we should not be writing advisories at all to get our name out there? You clearly do not understand the amount of time and effort that goes into our work to help making the hosting community safer. Should we not be compensated in the form of advertising by posting advisories and/or offering our services? I just can't wrap my mind around how anyone could have an issue with the work we do!
Link to comment
Share on other sites

Ken,

I am not quite sure why you feel this is a publicity stunt.  If you truely believe that I don't think you have done any real research.

 

Rack911 has been in the server management field for 10 years. Patrick and Mysql have collaborated on vulnerabitiles we found in the work we have done for years.

Earlier this year Patrick became a full time employee of Rack911, and we set out to help vendors have more secure products, after years of seeing security holes sit unpatched or patched silently.

 

We work very hard at what we do, and what we do creates results. It is not a publicity stunt, if we make results.

 

This list here: http://osvdb.org/affiliations/2667-rack911 wasen't created over a weekend. There is hundreds of probono hours here, and this only the stuff that is public.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...