lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 19 Feb 2011 12:46:04 -0500
From: Hack Talk <hacktalkblog@...il.com>
To: Shawn Merdinger <shawnmer@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: University of Central Florida Multiple LFI

Hey Shawn,

I typically follow the Rain Forest Puppy Responsible Disclosure Policy which
I'm sure many people have read. I even extended the contact time to 2 weeks
since Universities are quite busy places. During those 2 weeks I personally
emailed them back 5 times and did not get a single response back. This is
not the first time the University has neglected to respond to
vulnerabilities affecting their sites and as such I decided that enough was
enough and that by publicly disclosing these vulnerabilities they would be
forced to patch their code. I've worked with many Universities in the past
to patch there vulnerabilities and they have responded typically within 12
hours of me sending my initial email alerting them to the issue. Being a
.edu does not exempt you from hackers wanting into your system and it does
not mean you can get away with having gaping holes in security for months
without patching them.

Full Disclosure as a methodology is about forcing people to fix their holes
which is exactly what I was hoping would happen to UCF.

Thanks for doing your best to extinguish the flamewar that was starting :D.


Luis Santana



On Sat, Feb 19, 2011 at 12:40 PM, Shawn Merdinger <shawnmer@...il.com>wrote:

> Hi,
>
> On Sat, Feb 19, 2011 at 12:04, Hack Talk <hacktalkblog@...il.com> wrote:
> > countless attempt to contact both their infosec team, the "tech rangers",
> > and their personal web developers with no contact back or patching of
> these
> > vulnerabilities I decided to post these up on FD. There are still many,
> > _many_ more vulnerabilities which I have yet to disclose as I'm still
> giving
> > them a chance to patch them.
>
> I'll side-step the discussion of possible ethical and legal ramifications
> here.
>
> However, I humbly suggest there are ways to escalate ones concerns in
> most organizations, especially open ones like public .edus.  For
> example, one could, after "no contact back" from a .edus security/site
> owners could notify the .edu's general counsel and president's office,
> perhaps cc'ing US-CERT and CERT/CC as well.  Having your process,
> intentions and outcomes documented in a disclosure policy that you've
> provided to all parties from initial communication also might be
> something to consider.
>
> Cheers,
> --scm
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ