I wrote this in July 2007 but decided against publishing it at the time. In July, I felt that I did not have a significant, publicly known case to help make the argument legitimized. The Dan Egerstad case prompted me to change my opinion.
There was a time that if I found a vulnerability — and a web app vulnerability in particular — I would notify the application owner. Jeremiah reminds us that those on the receiving end do not always reply appropriately.
In one recent case, I found a web app vulnerability that one year later was the root cause of a minor incident with large public exposure.
One may argue that I did not behave ethically and put others at risk for not reporting what I stumbled upon. In fact, there is a clear provision for this reporting of discovered vulnerabilities in the CISSP code of ethics.
Truthfully, when one considers how vulnerabilities are discovered, they are rarely done so as a passive participant. In most cases the researcher asks, “Why does the app behave in a particular way? And, if I were to do such-and-such an action, what might happen?” To answer these questions requires an active participant! Hence: Vulnerability discovery usually requires the researcher to be an active participant in the discovery process in order to test whether or not a vulnerability is present and is exploitable.
So, I counter that the risk to me, personally, in our current security environment, is too great for me to take the risk of reporting it. If a corporation questions my motives and how I came to know about the vulnerability, it would most likely paint me as a more active participant than I prefer.
The original reason I formed a corporation in 2001 was for protection against large corporations (such as Microsoft) that may seek damages (against little old me) with regard to my security and vulnerability research.
Over the last two years or so we’ve seen that the effects of InfoSec breaches are not as drastic as most want to claim. Hence the argument that I am putting more people at risk by not reporting the vulnerability does not have as much weight. In the current environment I prefer to let others take the reporting risk.
(I should also add: I do not have an issue reporting vulnerabilities in open source software as I believe these projects are more receptive to this information and there is much less risk to me as an individual.)