cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kbruce
Newcomer I

Proper protocol before publishing an article

Hi Folks,

I am writing my first article, which will be exposing a vulnerable website, its disclosure of PII and its potential to assist in phishing attempts.

Knowing this, what is the proper protocol that I should follow before publishing, to avoid future repercussions to protect myself and ISC2.org?  Should I provide the exposed company with ample warning?  If so, what would be considered ample time (30, 60 or 90 days notice)? Do we have access to a template repository, of sorts? Should I publish anonymously? 

 

Thank you,

 

Any suggestions are greatly appreciated.

6 Replies
denbesten
Community Champion

See https://www.owasp.org/index.php/Vulnerability_Disclosure_Cheat_Sheet.

 

Unless (ISC)² is the vulnerable web site, I recommend keeping unrelated parties out of any "article".  The more people you drag in, the more conversations you end up having with lawyers.

CraginS
Defender I


@kbruce wrote:

I am writing my first article, which will be exposing a vulnerable website, its disclosure of PII and its potential to assist in phishing attempts.

 


Keith, 

A big part of the answer depends on how and where you plan to publish. If you are thinking of self-publishing, like in a blog, I recommend reconsidering that choice, given the mess full disclosure of a site vulnerabilities brings on (we're talking lots of lawyers). Rather, consider publishing in an established professional journal, magazine, or conference, and follow their guidelines for publishing disclosures of vulnerabilities.

If you are not familiar with the ongoing infosec topic of responsible disclosure, please search the net for that term and read up on the various positions on notification and responsibility. 

 

 

Congrats on your first article! That is an exciting step.

 

Best regards,

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
CraginS
Defender I

Amanda @amandavanceISC2 

This thread seems more appropriate for the Career area than in Member Support. If Keith @kbruce is OK with changing, can you move it over there?

 

Thanks,

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
rslade
Influencer II

> kbruce (Viewer) posted a new topic in Member Support on 10-22-2018 09:57 AM in the (ISC)² Community :

> Hi Folks, I am writing my first article, which will be exposing a
> vulnerable website, its disclosure of PII and its potential to assist in
> phishing attempts. Knowing this, what is the proper protocol that I should
> follow before publishing, to avoid future repercussions to protect myself
> and ISC2.org?

Are you identifying yourself with ISC2 in the article?

>  Should I provide the exposed company with ample warning?

Definitely. I would have already notified them before starting to write the article
...
 
> If so, what would be considered ample time (30, 60 or 90 days notice)?

Depends upon a number of factors. How many people/users does this vulnerability
affect? How complex is the issue? How long is it reasonable to expect the
company to take to fix it? If the breach is potentially serious for a large number
of people, it might be proper to publish and warn people before the company has
had time to patch, but, in most less serious cases, the company should have time
to fix the issue before you alert the "dark side" that they have a chance to attack.

> Should I publish
> anonymously?

Depends upon how well you've done your work ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I clicked without thinking. That's what using a Mac does to you,
gives you a feeling of invincibility. - Martin Wehlou, 20061222
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
SamanthaO_isc2
ISC2 Former Staff

Hi @CraginS

 

I've gone ahead and moved this, as it is a better fit for the Career board. Thanks for tagging us! 

 

 

Samantha O'Connor
(ISC)² Online Community Manager
kbruce
Newcomer I

Thanks, very helpful.