Scribd
Upload
21 views1 page

Gray Hat Hacking 88

The document outlines the process for vendors to address vulnerabilities reported by finders, emphasizing the importance of timely and effective remedies. Vendors are expected to provide a fix within 30 days of acknowledging a vulnerability, while also ensuring the solution does not introduce new issues. It highlights the potential complexities in developing fixes and the types of remedies that can be proposed, such as configuration or software changes.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views1 page

Gray Hat Hacking 88

The document outlines the process for vendors to address vulnerabilities reported by finders, emphasizing the importance of timely and effective remedies. Vendors are expected to provide a fix within 30 days of acknowledging a vulnerability, while also ensuring the solution does not introduce new issues. It highlights the potential complexities in developing fixes and the types of remedies that can be proposed, such as configuration or software changes.

Uploaded by

digapo7593
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

60
either party, many times the vendor will ask the finder to provide assistance in evaluat-
ing if a proposed remedy will be effective in eliminating the flaw. The OIS suggests the
following steps when devising a vulnerability resolution:
1. Vendor determines if a remedy already exists. If one exists, the vendor should
notify the finder immediately. If not, the vendor begins developing one.
2. Vendor ensures that the remedy is available for all supported products/versions.
3. Vendors may choose to share data with the finder as it works to ensure the
remedy will be effective. The finder is not required to participate in this step.

Timeframe
Setting a timeframe for delivery of a remedy is critical due to the risk that the finder and,
in all probability, other users are exposed to. The vendor is expected to produce a rem-
edy to the flaw within 30 days of acknowledging the VSR. Although time is a top prior-
ity, ensuring that a thorough, accurate remedy is developed is equally important. The fix
must solve the problem and not create additional flaws that will put both parties back
in the same situation in the future. When notifying the finder of the target date for its
release of a fix, the vendor should also include the following supporting information:

• A summary of the risk that the flaw imposes


• The remedy’s technical details
• The testing process
• Steps to ensure a high uptake of the fix

The 30-day timeframe is not always strictly followed, because the OIS documenta-
tion outlines several factors that should be considered when deciding upon the release
date for the fix. One of the factors is “the engineering complexity of the fix.” What this
equates to is that the fix will take longer if the vendor identifies significant practical
complications in the process of developing the solution. For example, data validation
errors and buffer overflows are usually flaws that can be easily recoded, but when the
errors are embedded in the actual design of the software, then the vendor may actually
have to redesign a portion of the product.

CAUTION Vendors have released “fixes” that introduced new vulnerabilities


into the application or operating system—you close one window and open
two doors. Several times these “fixes” have also negatively affected the
application’s functionality. So although putting the blame on the network
administrator for not patching a system is easy, sometimes it is the worst
thing that he or she could do.

A vendor can typically propose one of two types of remedies: configuration changes
or software changes. A configuration change involve giving the user instructions on
how to change her program settings or parameters to effectively resolve the flaw. Soft-

You might also like