cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Viewer

Proper protocol before publishing an article

Hi Folks,

I am writing my first article, which will be exposing a vulnerable website, its disclosure of PII and its potential to assist in phishing attempts.

Knowing this, what is the proper protocol that I should follow before publishing, to avoid future repercussions to protect myself and ISC2.org?  Should I provide the exposed company with ample warning?  If so, what would be considered ample time (30, 60 or 90 days notice)? Do we have access to a template repository, of sorts? Should I publish anonymously? 

 

Thank you,

 

Any suggestions are greatly appreciated.

Tags (1)
6 Replies
Community Champion

Re: Proper protocol before publishing an article

See https://www.owasp.org/index.php/Vulnerability_Disclosure_Cheat_Sheet.

 

Unless (ISC)² is the vulnerable web site, I recommend keeping unrelated parties out of any "article".  The more people you drag in, the more conversations you end up having with lawyers.

Advocate II

Re: Proper protocol before publishing an article


@kbruce wrote:

I am writing my first article, which will be exposing a vulnerable website, its disclosure of PII and its potential to assist in phishing attempts.

 


Keith, 

A big part of the answer depends on how and where you plan to publish. If you are thinking of self-publishing, like in a blog, I recommend reconsidering that choice, given the mess full disclosure of a site vulnerabilities brings on (we're talking lots of lawyers). Rather, consider publishing in an established professional journal, magazine, or conference, and follow their guidelines for publishing disclosures of vulnerabilities.

If you are not familiar with the ongoing infosec topic of responsible disclosure, please search the net for that term and read up on the various positions on notification and responsibility. 

 

 

Congrats on your first article! That is an exciting step.

 

Best regards,

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
Advocate II

Re: Proper protocol before publishing an article

Amanda @amandavanceISC2 

This thread seems more appropriate for the Career area than in Member Support. If Keith @kbruce is OK with changing, can you move it over there?

 

Thanks,

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
Community Champion

Re: Proper protocol before publishing an article

> kbruce (Viewer) posted a new topic in Member Support on 10-22-2018 09:57 AM in the (ISC)² Community :

> Hi Folks, I am writing my first article, which will be exposing a
> vulnerable website, its disclosure of PII and its potential to assist in
> phishing attempts. Knowing this, what is the proper protocol that I should
> follow before publishing, to avoid future repercussions to protect myself
> and ISC2.org?

Are you identifying yourself with ISC2 in the article?

>  Should I provide the exposed company with ample warning?

Definitely. I would have already notified them before starting to write the article
...
 
> If so, what would be considered ample time (30, 60 or 90 days notice)?

Depends upon a number of factors. How many people/users does this vulnerability
affect? How complex is the issue? How long is it reasonable to expect the
company to take to fix it? If the breach is potentially serious for a large number
of people, it might be proper to publish and warn people before the company has
had time to patch, but, in most less serious cases, the company should have time
to fix the issue before you alert the "dark side" that they have a chance to attack.

> Should I publish
> anonymously?

Depends upon how well you've done your work ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I clicked without thinking. That's what using a Mac does to you,
gives you a feeling of invincibility. - Martin Wehlou, 20061222
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Community Manager

Re: Proper protocol before publishing an article

Hi @CraginS

 

I've gone ahead and moved this, as it is a better fit for the Career board. Thanks for tagging us! 

 

 

Samantha O'Connor
(ISC)² Online Community Manager
Viewer

Re: Proper protocol before publishing an article

Thanks, very helpful.