Disclosure Policy
  > CATEGORIES
  LEAK TESTING
  KILL TESTING
  ADVICES
  DOCUMENTS
  REWARDS
  > IN THE WILD
  > LINKS
  > FAQ
  > TOOLS

     SCAN YOUR COMPUTER

     TEST YOUR BROWSER


Responsible Disclosure


Introduction :

As a leaktest author, I do not find firewall's vulnerabilities in the usual security sense, but rather firewalls weaknesses, i.e. ways to escape detection and to transmit data.
Anyway the result is the same if, as soon as discovered, a leaktest is unleashed to the public and black hats then it puts the users in danger because there is no immediate patch available.
So I had to find a way of making the public aware of any vulnerabilities but in such a way that the firewall developers are informed first so that they can correct the vulnerability in a reasonable amount of time. Finally a public announcement is made for the sake of user's security.


Criteria :

I have tried to do these things correctly, in the best way possible for everyone and I think that a detailed disclosure policy must be written to meet the following criteria

a) Applied to ensure the best safety for the end user.

b) The best circumstances for the firewall vendor to fix a weakness and/or vulnerability.

It is also needed to prove that I am NOT trying to scare people and to attract attention, but instead to solve the problems as quickly as possible



Discovering step :

When finding a possible way to escape the firewalls detection, I test every personal firewall that I have (the most popular) to see which is allowing the unwanted traffic and which is detecting the leaktest, to have at the end a list of firewall vendor names to contact.



Contact step :

I look at email addresses to contact each firewall vendor, if I do not already have one.
I send a "hello" email first explaining briefly what the issue is and ask for a proper email address to submit the leaktest discovery or directly if I have already have proper known address.
In the email I send the leaktest executable along with it's source code, I explain the firewall weakness, and I ask how long it would take to correct it.
From the day I have sent the email, I wait five workable days for an answer from each firewall vendor. If I have none, which means that each vendor does not answer, then after the fifth workable day I release the leaktest. If I have at least one answer, then we go to the next step.



Timeframe agreement :

Usually if the "threat" is very minor, i.e. can be blocked by a third party software such as a sandbox application, then I set the timeframe to two weeks, which means that the leaktest will be released two weeks after the date of the first answer from the vendor.
If the "threat" is moderate, i.e. can only be blocked by important modifications/workaround, which costs money and/or time, then I will ask how long the vendor expects that it will take to make a fix and, if reasonable, I will accept his timeframe.
In the very unlikely case that the leaktest is a real critical exploit which cannot be blocked by both firewalls and sandbox software, the timeframe will not be limited, the leaktest will only be released when at least one firewall vendor offers a fix.



Firewall Vendor agreements :

By replying to the first email which included the leaktest executable and so as to decide the timeframe, the firewall vendor tacitly agrees to this Disclosure Policy and acknowledge that myself, Guillaume Kaddouch, cannot in any way be held responsible for anything regarding the company or the product.

They also acknowledge that I am behaving in the best way possible for both the product users and the product vendor himself, and that I am not responsible for the OS or Software weakness (which has been discovered).

They have the right to deny his product weakness, but in such case then the leaktest will be made public, I cannot be made liable for any damage of any kind to the company.

They agree to acknowledge me in the fix or in the change log when the weakness is corrected in their product.

If they think it is an important / critical point, they must tell me about it on his first reply after they have received the leaktest. They cannot later (such as just before the deadline release date) invoke new arguments to delay the leaktest release.

They acknowledge that I am doing my best to help them, that my claims only involve my personal opinion, and that no harm can be done by the leaktest itself.

If they do not answer at all (the link of this page of disclosure policy being sent in each email), although using direct and public email addresses, it will mean that they deny the weakness in their software and cannot make me responsible for anything after the leaktest is released.



Conclusion :

My aim is to always advise and give workarounds to block any threat shown on this website.
If I do not know of a defence against a threat/exploit/weakness I will not disclose it.

My purpose is NOT to spread fear and to feed black hats bags.

I do not whish to be critical of "full disclosure", Instead I am just saying that I personally do believe in "responsible disclosure"


Home      News      Contact      Online form      Mailing list