This is a more specific discussion about community thoughts on the subject. These thoughts were getting to be more than a few clogging up some other threads. The artical that paper that sparked this conversation is: https://iotsecurity.eecs.umich.edu/ The other relevant thread would be over here: …

[image] SmartThings Platform Security - Response from Alex The condition that the “discoverer” should have the right of first-publication seems to be in a grey area I guess I don’t really see how it’s a grey area. They did all of the work, it’s their data, they should be able to do with it wha…

Thanks for spinning off this Topic, Jason! Let’s try to find some more “up-to-date” Disclosure Protocols that seem to be prevalent. I don’t know offhand, if Michigan ( @earlenceferns ) referenced a particular protocol in their arrangements with SmartThings for this particular research and disclosure…

[image] tgauchat: I don’t know offhand, if Michigan ( @earlenceferns ) referenced a particular protocol in their arrangements with SmartThings for this particular research and disclosure? [image] Researchers say there are serious security problems in Samsung’s SmartThings For the record, we …

[image] schapper05: It would be a very slippery slope to say that Companies should have the right to control the stories about their security. Yah… “the right” is not the correct wording. Perhaps … the “courtesy”? I’m not sure how slippery the slope is. Perhaps the researchers and the company…

[image] schapper05: 4 months is much longer than I would have waited to publish my findings. Agreed… CERT’s policy is 45 Days (though they will sometimes (?) extend it if they believe the vendor is actively working on the problem and it remains beneficial to the public to hold-off publication…

Here’s a reference from about five years ago. Around that time a lot of these conversations went in a different direction from the earlier ones. That’s because the people discovering exploits had divided into two very distinct groups. White hat hackers, who expected to be paid for what they found. …

[image] tgauchat: I’m not sure how slippery the slope is. Yes, I would agree that if it were an industry ‘courtesy’ it isn’t really a slippery slope. But then again our legal system has been known to turn ‘courtesies’ into a ‘right’ before. [image] tgauchat: bad hackers to exploit. If…

[image] JDRoberts: The white hat hackers were usually just fine with the company handling all the press about it. In fact sometimes they required that their name not be disclosed. What they wanted was to get paid. I would consider this to be a grey hat hacker.

Generally in the security research community, we give notice to the vendor immediately after we complete writing up our paper (a paper is the research output – it embodies all new ideas, and it is what we value the most, besides of course trying to improve security). Therefore, we notified SmartThin…

[image] jnschemm: I would consider this to be a grey hat hacker. Definitely! It is considered unethical to request payment or bounty because that is in conflict with the altruistic purposes of deferred disclosure. A white hat realizes there is genuine benefit to deferring disclosure for a “…

Thoughts on Industry Standards for Vulnerability Discovery Disclosures

General Discussion

schapper05 (Jason) May 4, 2016, 1:44am 4

4 months is much longer than I would have waited to publish my findings.

Topic		Replies	Views
SmartThings Platform Security - Response from Alex Announcements	19	8840	May 22, 2016
Security Issues Dumping Ground Meta	33	4634	September 10, 2015
Researchers say there are serious security problems in Samsung’s SmartThings General Discussion	147	16027	May 23, 2016
SmartTiles (& "other" External Services) Security Community Created SmartApps security , webservices , smarttiles	47	10326	January 28, 2016
Platform Security SmartApps & Automations	51	7561	October 19, 2019

Thoughts on Industry Standards for Vulnerability Discovery Disclosures

Related topics