Tom Bicer wrote in to tell us about some interesting development amongst the SSL certificate providers. Comodo made a press release announcing that they found some vulnerabilities related to Verisign's certificate and had advised Verisign on the vulnerabilities. The vulnerability at least led to potential security issues at one of Verisign's customer (a bank). The vulnerability was discovered using publicly available information. Comodo definitely was careful in the wording of this press release, no details of the vulnerability was released. They also stated that they followed CCSS's (Common Computing Security Standards Forum) guideline in releasing the vulnerability information. While it seems that Comodo is doing everything right, it still brings the question - Should you test your competitor's products/ stuff? And - How do you handle the announcement so it doesn't look like you are doing leveraging your competitor's security weakness in marketing? There are no good answers to those questions, it's all dependent on the situation. It's all a very fine line. It's hard to balance the bragging rights by the finder of a vulnerability before the announcement of actual vulnerability by the vendor. In some cases, vulnerabilities are never released by the vendor. Bottom line, credit to the finder of vulnerability should be given. I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London July 2022 |
Jason 93 Posts ISC Handler Jun 24th 2010 |
Thread locked Subscribe |
Jun 24th 2010 1 decade ago |
One would hope that there would be 3rd Parties, that could shield competitors from each other and act as a clearing house for releasing the vulnerabilities. Nothing wrong with a company testing a competitors products. If vulnerabilities are few and far between, no big deal. If they mount up, then the weaknesses being made public are probably for the best.
|
Anonymous |
Quote |
Jun 25th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!