how NOT to disclose security vulnerabilities

blogrolling.com had a security vulnerability. It was disclosed on someone's blog.
Not only did this person decide to dislcose the issue at the same time
it notified blogrolling.com (which is now part of Tucows), but they
decided to explain how to exploit it and even suggested certain blogs
to exploit.

As I commented, a good reference for disclosing security vulnerabilities would be RFP's.

As
anyone who reads my posts or knows me would know, I am a supporter of
Tucows. I know they would have fixed this ASAP, regardless of the
impact and public disclosure. That's just the way they are. I can
understand why Ross is upset.
If more companies were like them, we'd have fewer instances of viruses,
trojans, and malware and disclosure wouldn't be a hot button.

Having
said that, this is an amateur coding mistake. I would assume that due
dilligence when acquiring a technology product/company would include a
code audit and this would have been caught. Regardless, the code should
have been reviewed after the purchase and this should have been found.
I'm not trying to knock Jason. He created a great product and offered
it for free.

One thought on “how NOT to disclose security vulnerabilities

  1. Acutally, it was a Tucows mistake that caused the problem. A few weeks ago, we had to fail over to a non-production box because one of the servers that Jason had colocated us on died without much warning. It was the only way to keep the service alive on short notice.
    Problem was, it was running slightly outdated code – the production server, at the time, had already been patched by Jason. By failing over to the older development box and turning it live without patching it properly, we reintroduced the problem that Jason had kindly fixed for us.
    The box with the patch was never brough back online because we are in the process of moving off of the colo that we're currently at and into the regular Tucows environment at IBM – no sense in going through more trouble than it was worth we thought.
    So the long and the short of it is that I really messed this up. Jason has been an amazing source of support through all of this (post-purchase) and I'd really hate for my mess-ups to reflect on him somehow. Tucows, and more to the point, me is the root cause of the problem that we saw today.
    And now we need to pick ourselves up, dust everything off and move on – without repeating the same mistakes that we've just fixed.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s