| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Oct 5 16:03:35 2005 From: c0ntexb at gmail.com (c0ntex) Subject: Publicly Disclosing A Vulnerability Like wind, better out than in. On 05/10/05, Josh Perrymon <perrymonj@...workarmor.com> wrote: > > > > Ok, > > > > I believe in working with the Vendor to inform then of vulnerable software > upon finding it in the wild so on? > > But I have a question? > > > > While performing a pen-test for a large company I found a directory > transversal vulnerability in a search program? > > I used Achilles and inserted the DT attack in a hidden field and posted it > to the web server. This returned the win.ini.. > > Cool.. > > > > Well? I called the company up and got the lead engineer on the phone.. He > seemed a little pissed. > > He told me that they found the hole internally a couple months ago but they > don't want it public and they said I should not tell anyone about it because > they don't want their customers at risk. > > > > So I ask the list- what is more beneficial to the customer? Not publicly > disclosing the risk and hoping that they follow the suggestions of the > vendor to upgrade? Or waiting 30 days and send it out? > > > > > > > > Joshua Perrymon > > Sr. Security Consultant > > Network Armor > > A Division of Integrated Computer Solutions > > perrymonj( at )networkarmor.com > > Cell. 850.345.9186 > > Office: 850.205.7501 x1104 > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- regards c0ntex
Powered by blists - more mailing lists