lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed Oct  5 19:28:48 2005
From: fx at phenoelit.de (FX)
Subject: Publicly Disclosing A Vulnerability

Hi List,
Hi Josh,

with all due respect for your work and your desire to perform responsible
disclosure, did you perform the test for a client of NetworkArmor? If so, 
your company states on their web page : 

"The NetworkArmor division of Integrated Computer Solutions, Inc. provides
military-grade Information Security (InfoSec) Consulting Services to
enterprise-class commercial businesses, non-profit organizations, educational
institutions, and government agencies.  Our certified InfoSec experts guide
clients in developing comprehensive programs to secure information assets."

I don't know about the military part, but in enterprise-class, it's usually
pretty clear who owns the vulnerability found on a paid for pen-test. 
Therefore, as others already pointed out, it should not be your call to 
disclose the vulnerability. 

My advise would be to focus on your customer and see what would be beneficial
for him, which in this case probably is a fix from the vendor. This, in turn,
would also be beneficial for the other customers of this vendor, since the fix
would be produced and others could patch as well. And if your customer or the
vendor publishes, they might even give you credit. 

cheers
FX

-- 
         FX           <fx@...noelit.de>
      Phenoelit   (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ