Update 10.20.2007: Additional links and press coverage
Some Answers for Jeremiah: Website Vulnerabilities
No Breach, No Foul
Security Experts: Merchants Racing to the Bottom for PCI Certs
Should We Be Legally Obligated to Fix Vulnerabilities?
National Retail Federation takes aim at PCI DSS Council
PCI Extends Its Reach to Application Security
Retailers B*tch Slap PCI Security Standards Council, If You Believe Them
Merchants mad about credit card retention
In the industry we discuss at great length the legal risks and ethical responsibilities of the person disclosing an issue, but not enough about the same when it comes to the business itself. I’ve had a hard time getting authoritative answers to some seemingly simple questions, so I figured I’d give the blog a try. Lets assume a company is informed of a SQLi or XSS vulnerability in their website (I know, shocker) either privately or via public disclosure on sla.ckers.org. And that vulnerability potentially places private personal information (PPI) or intellectual property at risk of compromise. My questions are:
1) Is the company “legally” obligated to fix the issue or can they just accept the risk? Think SOX, GLBA, HIPAA, PCI-DSS, etc.
2) What if repairs require a significant time/money investment? Is there a resolution grace period, does the company have to install compensating controls, or must they shutdown the website while repairs are made?
3) Should an incident occur exploiting the aforementioned vulnerability, does the company carry any additional legal liability?
4) If the company's website is PCI-DSS certified, is the website still be considered certified after the point of disclosure given what the web application security sections dictate?
5) Does the QSA or ASV who certified the website potentially risk any PCI Council disciplinary action for certifying a non-compliant website? What happens if this becomes a pattern?
While I’m happy to hear anyone’s personal opinions, answers backed by cited references are the best. Laws, case law, investigations, news stories, FAQ’s, or whatever are what I’m looking for.