| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Oct 5 15:52:25 2005 From: perrymonj at networkarmor.com (Josh Perrymon) Subject: Publicly Disclosing A Vulnerability Ok, I believe in working with the Vendor to inform then of vulnerable software upon finding it in the wild so on... But I have a question... While performing a pen-test for a large company I found a directory transversal vulnerability in a search program- I used Achilles and inserted the DT attack in a hidden field and posted it to the web server. This returned the win.ini.. Cool.. Well... I called the company up and got the lead engineer on the phone.. He seemed a little pissed. He told me that they found the hole internally a couple months ago but they don't want it public and they said I should not tell anyone about it because they don't want their customers at risk. So I ask the list- what is more beneficial to the customer? Not publicly disclosing the risk and hoping that they follow the suggestions of the vendor to upgrade? Or waiting 30 days and send it out? Joshua Perrymon Sr. Security Consultant Network Armor A Division of Integrated Computer Solutions perrymonj( at <mailto:perrymonj@...workarmor.com> )networkarmor.com Cell. 850.345.9186 Office: 850.205.7501 x1104 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051005/b7159346/attachment.html
Powered by blists - more mailing lists