??? The behavior that the finder reported exists, but does not create a security
concern. If this statement is true, the vendor should forward validation data to
the finder, such as:
??? Product documentation that confirms the behavior is normal or nonthreatening
??? Test results that confirm that the behavior is only a security concern when it
is configured inappropriately
??? An analysis that shows how an attack could not successfully exploit this
reported behavior
The finder may choose to dispute this conclusion of disproof by the vendor. In this
case, the finder should reply to the vendor with its own testing results that validate its
claim and contradict the vendor??™s findings. The finder should also supply an analysis of
how an attack could exploit the reported flaw. The vendor is responsible for reviewing
the dispute, investigating it again, and responding to the finder accordingly.
Unable to Confirm or Disprove the Flaw
In the event the vendor cannot confirm or disprove the reported flaw, it should inform
the finder of the results and produce detailed evidence of its investigative work. Test
Chapter 3: Proper and Ethical Disclosure
61
PART I
results and analytical summaries should be forwarded to the finder.
Pages:
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181