topic Re: Proper protocol before publishing an article in Career Discussions

Proper protocol before publishing an article

kbruce — Mon, 22 Oct 2018 13:57:51 GMT

Hi Folks,

I am writing my first article, which will be exposing a vulnerable website, its disclosure of PII and its potential to assist in phishing attempts.

Knowing this, what is the proper protocol that I should follow before publishing, to avoid future repercussions to protect myself and ISC2.org? Should I provide the exposed company with ample warning? If so, what would be considered ample time (30, 60 or 90 days notice)? Do we have access to a template repository, of sorts? Should I publish anonymously?

Thank you,

Any suggestions are greatly appreciated.

Re: Proper protocol before publishing an article

denbesten — Mon, 22 Oct 2018 16:51:48 GMT

See https://www.owasp.org/index.php/Vulnerability_Disclosure_Cheat_Sheet.

Unless (ISC)² is the vulnerable web site, I recommend keeping unrelated parties out of any "article". The more people you drag in, the more conversations you end up having with lawyers.

Re: Proper protocol before publishing an article

CraginS — Mon, 22 Oct 2018 17:10:38 GMT

@kbruce wrote:
I am writing my first article, which will be exposing a vulnerable website, its disclosure of PII and its potential to assist in phishing attempts.

Keith,

A big part of the answer depends on how and where you plan to publish. If you are thinking of self-publishing, like in a blog, I recommend reconsidering that choice, given the mess full disclosure of a site vulnerabilities brings on (we're talking lots of lawyers). Rather, consider publishing in an established professional journal, magazine, or conference, and follow their guidelines for publishing disclosures of vulnerabilities.

If you are not familiar with the ongoing infosec topic of responsible disclosure, please search the net for that term and read up on the various positions on notification and responsibility.

Congrats on your first article! That is an exciting step.

Best regards,

Re: Proper protocol before publishing an article

CraginS — Mon, 22 Oct 2018 17:16:55 GMT

Amanda @amandavanceISC2

This thread seems more appropriate for the Career area than in Member Support. If Keith @kbruce is OK with changing, can you move it over there?

Thanks,

Re: Proper protocol before publishing an article

rslade — Mon, 22 Oct 2018 19:26:00 GMT

> kbruce (Viewer) posted a new topic in Member Support on 10-22-2018 09:57 AM in the (ISC)Â² Community :

> Hi Folks, I am writing my first article, which will be exposing a
> vulnerable website, its disclosure of PII and its potential to assist in
> phishing attempts. Knowing this, what is the proper protocol that I should
> follow before publishing, to avoid future repercussions to protect myself
> and ISC2.org?

Are you identifying yourself with ISC2 in the article?

> Should I provide the exposed company with ample warning?

Definitely. I would have already notified them before starting to write the article
...

> If so, what would be considered ample time (30, 60 or 90 days notice)?

Depends upon a number of factors. How many people/users does this vulnerability
affect? How complex is the issue? How long is it reasonable to expect the
company to take to fix it? If the breach is potentially serious for a large number
of people, it might be proper to publish and warn people before the company has
had time to patch, but, in most less serious cases, the company should have time
to fix the issue before you alert the "dark side" that they have a chance to attack.

> Should I publish
> anonymously?

Depends upon how well you've done your work ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I clicked without thinking. That's what using a Mac does to you,
gives you a feeling of invincibility. - Martin Wehlou, 20061222
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Proper protocol before publishing an article

SamanthaO_isc2 — Tue, 23 Oct 2018 19:05:57 GMT

Hi @CraginS,

I've gone ahead and moved this, as it is a better fit for the Career board. Thanks for tagging us!

Re: Proper protocol before publishing an article

kbruce — Fri, 16 Nov 2018 18:50:27 GMT

Thanks, very helpful.