lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Oct  5 16:42:39 2005
From: Simon.Richter at hogyros.de (Simon Richter)
Subject: Publicly Disclosing A Vulnerability

Hello,

Josh Perrymon wrote:

> While performing a pen-test for a large company I found a directory 
> transversal vulnerability in a search program?

Were you testing for the company that produces that software? If so, 
they are the customer, and since they are paying you, they get to choose 
who is going to be informed (any contract I would ever set up with a pen 
tester would include such a clause, and unless they are completely 
clueless I bet yours does too).

> He told me that they found the hole internally a couple months ago but 
> they don?t want it public and they said I should not tell anyone about 
> it because they don?t want their customers at risk.

Bullshit. Their customers are at risk now. If they want to minimize the 
impact on their customers, they should prepare a fix, then notify large 
customers (who need to go through some rollout procedure) under an NDA 
and inform the remaining customers about an upcoming security fix to be 
released on (insert timestamp two days later).

In my experience, there are two or three customers who will demand to 
have the fix instantaneously (with at least five exclamation marks[1]), 
but the majority understands that this strategy is most beneficial to 
them as they have time to make sure a techie is ready to implement the 
fix as soon as the vulnerability is disclosed.

    Simon

[1] cue obvious Terry Pratchett reference

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051005/de0e2df2/signature.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ