This is the first in a three part series on responsible disclosure, taking over where the vendor leaves off and the release of the advisory.

I subscribe to the school of thought that responsible disclosure is the way to handle critical vulnerabilities. The kind of issues that place the privacy, welfare or money of people or businesses at risk need to be handled in such a way that it reduces the risk of all parties involved and everyone wins (before somebody gets owned).

Months back nGenuity found that commercial and really expensive healthcare application exposed patient information through a forced browsing vulnerability. (there will be a follow-up on this soon about how I found this vuln) This web application’s purpose and design is to provide doctors access to these records over the web in a secure fashion. We proceeded to write up the vulnerability details and provided them to the vendor, trying to be as responsible as we could. We notified our client, which immediately blocked application access from the Internet. The only one left to play nice was the vendor, but the vendor response was less than adequate.

Now I’m at a cross-road with responsible disclosure. If the vendor does not play ball, fix the vulnerability and notify their customer deployments then I am left with the burden of contacting those other deployments. Should this really fall on me? Yes if I’m going to follow through with my pact with responsible disclosure. I don’t have any other option if I want any of my clients to trust that I would do right by them with their confidential information. I’m also sure that somewhere in the fine print of my ISC2 and Certified Ethical Hacker ethics agreements it says I shouldn’t do that.

If you are an organization that makes software (yes this includes all you web developers), please make sure you make it easy for researchers to contact you about security issues in your products. When (not if) an issue is found in your software, coordinate with the finder and address the issue as quickly as possible. I have a rule about developers.

Stay tuned in to find out what our experience is notifying all of the medical organizations out there on the Internet running this application.