[Owasp-rochester-announce] Question: Is this extortion or security consulting?

Andrea Cogliati andrea.cogliati at owasp.org
Wed Oct 7 14:44:22 EDT 2009


we don't know all the details of the case, so I can only speculate:  
most security researchers agree that security flaws must be fully  
disclosed. There's disagreement on the timing and the extent of  
disclosure: the consensus is toward "responsible disclosure" -- you  
alert the vendor and give them a reasonable amount of time for making  
a patch; if they don't act, you can disclose the vulnerability in  
public -- others promote "full disclosure" -- vulnerabilities must be  
published immediately, no matter what. Of course, there are pros and  
cons on both sides.

Most countries (including the US) prohibit unsolicited security tests  
(sometimes including reverse engineering on products you buy, like in  
the DMCA). How did this guy get this information? Was he paid to  
perform a vulnerability assessment/pentest? Was he an insider? Did he  
have an NDA with the company? Did he discovered the flaws by mistake?  
Or was he trying to hack into the application?

The final questions on payments and rewards is a very broad one and,  
to me, it has several ramifications involving the whole free software  
movement. Thanks to the free software movement we have access to  
better software, tools and documentations, that's for sure. The  
reverse side of the coin is now the misconception that everything must  
be provided "free of charge".

Finally, it looks like that consumers are protected by law from  
defective products (like an unsafe car or a microwave oven that  
explodes). Unfortunately, end users don't get the same protection from  
poor security in web applications.


On Oct 4, 2009, at 10:26 PM, David Stevenson wrote:

> Question: What if the security flaw involved the potential exposure of
> consumer identity information such as credit card numbers, social  
> security
> numbers, passwords, security questions such as mother's maiden name,  
> full
> name and address? Does this person have a moral obligation to  
> current and
> potentially future consumers to warn them of the problem? Especially  
> with
> the prevalence of identity theft?
> What if the security flaw was due to basic security flaws such as SQL
> Injection, which could be easily prevented by use of parameterized  
> queries
> and/or stored procedures? Whether the responsibility accrues to  
> company
> management (get the project done, we don't care about security, and  
> no we
> don't have time to address security issues), or accrues to software
> developers is debatable. But if the company does not do due  
> diligence, do
> current and potentially future shareholders need to be informed of the
> risks?
> Is it a moral responsibility to protect those who could be injured  
> by such
> security flaws?
> Doesn't this country still protect whistle-blowers?
> And lastly, shouldn't those who labor in the security field get paid  
> for
> their work? There are those who believe that they shouldn't have to  
> pay fair
> market labor rates for Information Technology expertise.
> David Stevenson
> -----Original Message-----
> From: Charles Profitt [mailto:indigo196 at rochester.rr.com]
> Sent: Sunday, October 04, 2009 9:50 PM
> To: Andrea Cogliati
> Cc: David Stevenson; owasp-rochester-announce at lists.owasp.org
> Subject: Re: [Owasp-rochester-announce] Question: Is this extortion or
> security consulting?
> This is a tough one for me.
> The revealing of the 'flaw' to the public (and crackers) could harm
> people using that companies software. At the same time asking to be  
> paid
> for information is not a 'new' thing.
> So the issue really is not that it is wrong to be paid for the
> information... but the release of 'dangerous' information to potential
> bad guys. Then again the security researcher did not 'make the flaw'  
> the
> original software company did.
> What would people have thought if there had been a worker who knew  
> about
> a flaw in an automobile that caused it to explode but chose to not  
> tell
> anyone?
> This is one of those grey areas, but 'demands' and 'threats' tend to  
> be
> viewed in a poor light.
> On Sun, 2009-10-04 at 20:40 -0400, Andrea Cogliati wrote:
>> It's definitely blackmailing. Like it or not, the only "currency"
>> received by security researchers for discovering vulnerabilities is
>> credit. I don't entirely agree with this practice, but this is how  
>> the
>> industry has been working for almost 10 years.
>> Andrea
>> On Oct 4, 2009, at 2:29 PM, David Stevenson wrote:
>>> I saw this in LinkedIn in the Question and Answer section. People
>>> are calling this payment extortion. Is that a correct view, or is
>>> the hacker protecting consumers from poor security provided by
>>> corporations? Unstated in this description is whether consumer
>>> identity information, such as credit card numbers and/or social
>>> security numbers, were at risk of disclosure. Also unstated is
>>> whether company assets, or revenue, were at risk due to the security
>>> flaw. Were the security risks easily preventable, such as security
>>> risks caused by SQL Injection attacks?
>>> How to recognize on the financial statements a payment to a hacker,
>>> that stops him from posting a security flaw on the internet?
>>> A payment of 100,000 was made to keep the flaw of the program from
>>> being public, how would this payment be recognized on the financial
>>> statements?
>>> David Stevenson
>>> _______________________________________________
>>> Owasp-rochester-announce mailing list
>>> Owasp-rochester-announce at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-rochester-announce
>> _______________________________________________
>> Owasp-rochester-announce mailing list
>> Owasp-rochester-announce at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-rochester-announce

More information about the Owasp-rochester-announce mailing list