lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: ge at egotistical.reprehensible.net (Gadi Evron)
Subject: Vendor casual towards vulnerability found in
 product

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| I have the following queries
|
| 1. Would an exploit like this be said to be severe?

Yes.

| 2. Is the vendor right in their approach to this issue?

No. They are irresponsible and using their software would be a mistake.

| 3. How do I make public the vulnerability? (Vendor has given
permission for
| the same)

Well, I'd suggest timing it with them for their next release. If that
release is farther away than say.. whatever time period over 2 months..
threaten to publish it.

You could always contact securiteam.com for their assistance in
contacting the vendor, and verifying that you did prior to releasing it.
They provide such services.

Aside to using SecuriTeam's help (which I strongly recommend), try
reading http://www.oisafety.org/.

| 4. Ok, I'll rather ask... *should* I make public details of this
| vulnerability? (Since I know of sites using this app server, and they
may be
| taken down if the exploit goes out)

Sites will go down.

Should you? If you followed all the ethical standards and waited an
acceptable period of time.. you *could* and no one would look badly at
you.. BUT:

You could always sit on it if you'd like to feel more responsible with
yourself, I think you were very responsible, ALREADY) and once released
you can release more data on the issue.

| Your feedback would help.

The final decision should be yours. Take into account anything people
tell you, but make your own decision.

Don't listen to people who tell you that you are irresponsible, if you
first followed all the "rules". It is irresponsible to let such a
vulnerability exist without a patch.

Also, be responsible and DO follow the rules.

Good luck,

	Gadi Evron.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iD8DBQFAtLfzqH6NtwbH1FARAgDZAJ9w+42sv0ZqhOxqVahyP9SoHB472gCfbWmN
Za0QEEF9dH+o6gSf7xUeKFI=
=Sd/0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ