Jump to content

While I Was Working On An Importer...

Cody

By Cody
in General

 Share

To disclose or not to disclose?  

29 members have voted

  1. 1. Should I disclose vulnerabilities to the software vendor?

    • Yes, it's the right thing to do
      18
    • Yes, even though they will pretend like it never happened
      6
    • No, the fact that these are so obvious means they don't give a crap about their software so why should you?
      3
    • No, may I please have teh exploitz?
      2

Recommended Posts

Ken Newbie

Ken

Posted
Posted

Not too long ago they sent out an email talking about all of the exploits they have been fixing and apologized for all of the security updates that have been annoying people.

Counting on a version without exploits is like counting on world peace at the moment.

FRH Dave Newbie

FRH Dave

Posted
Posted

Well, it's been more than 2 weeks and still no patch from them.

 

I would think, given the severity of the issues we presented to them that they would have released a patch by now. Perhaps those 34 exploits have caused too much work for them? B)

 

I'd say at this point hand it off to someone like Rack911 or one of the other trustworthy security firms.  Let them do their thing and, if appropriate, post on WHT.  If you make a public disclosure, it would immediately be shouted down as a conflict of interest.

Ken Newbie

Ken

Posted
Posted

I'd say at this point hand it off to someone like Rack911 or one of the other trustworthy security firms.  Let them do their thing and, if appropriate, post on WHT.  If you make a public disclosure, it would immediately be shouted down as a conflict of interest.

 

Isn't that kind of beating a dead horse?  With everything that has happened with them and continuing to happen... I'm not sure what more needs to be said.  It's great for our devs to underline security when it comes to Blesta for those who care about it, which should be everyone, but anything beyond that would just start to look a little foolish.  As Cody mentioned he reported the exploits as well as others obviously since they are issuing security updates to the point that it's driving people nuts apparently.  Either people get the picture and move on or they tighten up over time whether they're reporting back to people's submissions or not.

 

It wouldn't take very much research at all to get a feel for how secure their software is or isn't.  If people won't take basic consideration for their own business then there's no real point in going on a crusade to inform them.  Until then grab some popcorn and let's see what happens.

FRH Dave Newbie

FRH Dave

Posted
Posted

Isn't that kind of beating a dead horse?  With everything that has happened with them and continuing to happen... I'm not sure what more needs to be said.  It's great for our devs to underline security when it comes to Blesta for those who care about it, which should be everyone, but anything beyond that would just start to look a little foolish.  As Cody mentioned he reported the exploits as well as others obviously since they are issuing security updates to the point that it's driving people nuts apparently.  Either people get the picture and move on or they tighten up over time whether they're reporting back to people's submissions or not.

 

It wouldn't take very much research at all to get a feel for how secure their software is or isn't.  If people won't take basic consideration for their own business then there's no real point in going on a crusade to inform them.  Until then grab some popcorn and let's see what happens.

 

I see your point, but I disagree with it.  There might not be any business incentive to passing it on, just as there was no business incentive to responsible disclosure.  Disclosing it to a trusted third party (like Rack911) is not only an ethical choice, it also may help prevent another outbreak like those that plagued WHMCS last month.  WHMCS seems to have a history of not responding to security threats until they're made public, so putting it in the hands of a neutral-and-trusted third party is doing a tremendous service to the community.

 

I don't buy into the "that's their (people who use WHMCS) own dumb fault, let 'em burn" mentality.  Never have, never will.

Paul Rising Star

Paul

Posted
Posted

We considered sending to Rack911 so they can follow through on confirming resolution, and so they can back us up in the event it's swept under the rug or dismissed. In this case, we've opted to trust they will do the right thing, even though they haven't in the past. And if they don't do the right thing, and silently fix the issues instead -- at least their customer base will be more secure as a result, which is the most important part.


Either way, we've done our part.

silvatech Newbie

silvatech

Posted
Posted

We considered sending to Rack911 so they can follow through on confirming resolution, and so they can back us up in the event it's swept under the rug or dismissed. In this case, we've opted to trust they will do the right thing, even though they haven't in the past. And if they don't do the right thing, and silently fix the issues instead -- at least their customer base will be more secure as a result, which is the most important part.

Either way, we've done our part.

Yeah this was the option I was  thinking of and since not on there lol, I had no clue really how to vote.

Ken Newbie

Ken

Posted
Posted

I don't buy into the "that's their (people who use WHMCS) own dumb fault, let 'em burn" mentality.  Never have, never will.

 

You act as if they don't already know and trying to save people that don't necessarily want to be saved.  The bugs were reported and we're talking about it in the open.  They made national headlines.  What more do you want?  

 

There seems to be a lot of emphasis around this Rack911 business and looking more like a publicity stunt.

FRH Dave Newbie

FRH Dave

Posted
Posted

You act as if they don't already know and trying to save people that don't necessarily want to be saved.  The bugs were reported and we're talking about it in the open.  They made national headlines.  What more do you want?

 

You understand that this is a bug and/or exploit that hasn't been publicly disclosed, right?

 

Because I'm not sure why you're so against getting the word out.

 

There seems to be a lot of emphasis around this Rack911 business and looking more like a publicity stunt.

 

Are you active on WHT?

Ken Newbie

Ken

Posted
Posted

Not arguing putting the word out. I am saying I feel it's already out. I understand that after research Rack911 does a lot of work for members of that community. My point still stands though.  

Patrick Newbie

Patrick

Posted
Posted

There seems to be a lot of emphasis around this Rack911 business and looking more like a publicity stunt.

 

With all due respect, Ken, only some random troll would think the security work we do is for publicity.
 
In the last year alone we have found in excess of 200 security vulnerabilities in almost every popular hosting application and every popular hosting control panel. We are the reason cPanel assembled a new security team and the sole reason their backup system is being rewritten from scratch. Not only have we found all of those security vulnerabilities which have/are being handled responsibly, but we came up with a few new exploit techniques previously unheard of!
 
I fail to see how you think we are doing all of this for "publicity" unless you believe we should not be writing advisories at all to get our name out there? You clearly do not understand the amount of time and effort that goes into our work to help making the hosting community safer. Should we not be compensated in the form of advertising by posting advisories and/or offering our services? I just can't wrap my mind around how anyone could have an issue with the work we do!
Steven Newbie

Steven

Posted
Posted

Ken,

I am not quite sure why you feel this is a publicity stunt.  If you truely believe that I don't think you have done any real research.

 

Rack911 has been in the server management field for 10 years. Patrick and Mysql have collaborated on vulnerabitiles we found in the work we have done for years.

Earlier this year Patrick became a full time employee of Rack911, and we set out to help vendors have more secure products, after years of seeing security holes sit unpatched or patched silently.

 

We work very hard at what we do, and what we do creates results. It is not a publicity stunt, if we make results.

 

This list here: http://osvdb.org/affiliations/2667-rack911 wasen't created over a weekend. There is hundreds of probono hours here, and this only the stuff that is public.

Steven Newbie

Steven

Posted
Posted

With that said, I do believe WHMCS will do the right thing. They currently are in the process of writing some functions last time I talked to them when I sent them something.

 

 

Hey guys, welcome! 

 

Hey :)

Ken Newbie

Ken

Posted
Posted

Welcome Steve and point taken.  My apologies for suggesting that you were attempting a publicity stunt... I more or less meant it looks like 'it could be taken' as one.  I took it out of context for what was intended for the disclosure.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...