Website Security Vulnerability

Imagine the following situation: I found security vulnerability on a website. The website can be totally destroyed; the data can be stolen and so on. I'm not going to do any of this, of course. I want to notify the owner of the website. But simultaneously I want to publish an article about this particular security vulnerability. So I have two long questions:

1) e.g. I sent the notification to the owner on 12.01.2010. The owner has not fixed the problem till 12.15.2010 - when I published the article. Some unknown guy read the article and ruined the site on 12.16.2010. Am I responsible? Is 2 weeks time frame reasonable?

2) Regarding the notification to the owner. OK, I see the problem. I understand it. But if I tell to a regular online store something like “Hey, you have nginx null pointer dereference” – it says nothing to him. In order to be understood I can (theoretically) upload a file to his website to create a page hiswebsite.com/it_is_a_problem.html. That would be a proof even business people can understand. And it’s harmless. But isn’t it illegal?


Thanks in advance. And sorry for the language. English is not my native language.

Quote:

---

Quoting Losik

---

Imagine the following situation: I found security vulnerability on a website. The website can be totally destroyed; the data can be stolen and so on. I'm not going to do any of this, of course. I want to notify the owner of the website. But simultaneously I want to publish an article about this particular security vulnerability. So I have two long questions:

1) e.g. I sent the notification to the owner on 12.01.2010. The owner has not fixed the problem till 12.15.2010 - when I published the article. Some unknown guy read the article and ruined the site on 12.16.2010. Am I responsible? Is 2 weeks time frame reasonable?

---

If you publish an article for anyone to read that details how to attack the website, damn skippy you're responsible. 2 weeks? Around the friggin holidays? Did it ever occur to you it might take the owner longer than that to either a. contact the original website developer or b. find someone else to come in and fix it?

Quote:

---

Quoting Losik

---

2) Regarding the notification to the owner. OK, I see the problem. I understand it. But if I tell to a regular online store something like “Hey, you have nginx null pointer dereference” – it says nothing to him. In order to be understood I can (theoretically) upload a file to his website to create a page hiswebsite.com/it_is_a_problem.html. That would be a proof even business people can understand. And it’s harmless. But isn’t it illegal?

---

Yes, it is probably illegal in some jurisdictions in the sense you can be sued. Criminally? Without knowing a specific jurisdiction, can't say.

free9man, it's hard to identify the jurisdiction in the Internet. E.g I'm in NJ, website owner is in MN, the site hosted on cloud Amazon hosting (means it might be in several different locations at the same time). So let's say USA in general. Hacking is covered be federal laws mainly - if I'm not mistaken?

:) it seems we live in different worlds. 2 weeks sounded as more then enough for me :). Ok, what would be the reasonable time frame - in your opinion?

You think that 2 weeks during the busiest time of the year is more than enough? When people are on vacation? Working on year-end wrap ups or prepping for new-year rollouts? During the holidays, I would say at least a month. Some states have their own laws as well.

You could avoid the possible legal entanglements by keeping your mouth and keyboard shut about the problem. If they don't want to fix it, it's on them. I'm assuming you fancy yourself a white hat hacker? YOU have no right or duty to publicize how to break into their website. If another criminally inclined hacker gets them, as I said its on them....unless you post how to do it all over the place. Then it could arguably be put on you, at least to some extent.

free9man, yes, you right - it's on them. But there is a circumstance. If I create an account or use service of the website - its security is not just their business from this point, is it? Imagine that - you figured out that your bank has luck of security and anyone can see all of your old transactions. Doesn't it make your business as well?

Quote:

---

Quoting Losik

---

free9man, yes, you right - it's on them. But there is a circumstance. If I create an account or use service of the website - its security is not just their business from this point, is it? Imagine that - you figured out that your bank has luck of security and anyone can see all of your old transactions. Doesn't it make your business as well?

---

But it is NOT your business to publicize how to exploit the vulnerability. If you do business with them and they do not fix it, stop doing business with them. Easy solution and the one I would use, as well as telling anyone I know not to use them. Not everyone can see the old transactions, only those who take the time to identify and exploit the vulnerability. You could go so far as to make vague references to a vulnerability in the site but even that is dangerous as it will invite the criminal hackers to find it.

free9man, I see. But a little problem is still in place. You can chose to stop doing business with such a place. But what about your old transactions? If we continue with a bank as a sample. Let's say you've been doing business in bank A for three years. Then you figured out they have security problems. You notify them, they don't react. You can move you business into another bank. But three years of your logs are in danger. What now?

Look....lemme make this simple for you. NOTHING justifies you publicizing the vulnerability or how to exploit it. Doesn't matter what kind of a business it is. Cause while the business is trying to fix it, you have placed ALL the customers at risk by making it public. The absolute 100% best course of action after notifying them is to keep it to yourself. If you wish, send repeated requests for them to plug it. Hell, just tell them how to fix it. If you explain it in detail, they can forward it to whoever handles their IT work to investigate and resolve. DO NOT say anything like, you have x time to fix it or I will release it. That could get you into legal hot water.

I generally disagree with White Hats publicly disclosing vulnerabilities at a site as it encourages the criminals to try it everywhere just to see if it works. But if bragging rights is so important to you, brag about it AFTER it is fixed...no matter how long it takes. If it is never fixed, well you get the warm n fuzzy of having done the right thing. Cause if you talk about it and the site is compromised after you contact them, guess who the first person is going to be they sic law enforcement on?

free9man, good point. But how all websites, those right about secity problems, then survive? E.g. http://www.securityfocus.com/ - owned by Symantec. They publish exploits and they are doing well.

In writing an article, why would you have to make it obvious that a specific website or store had the vulnerability, let alone identify the website at issue?