lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 12 Mar 2018 08:19:14 +0000
From: Alex BALAN <>
To: filipe <>
Cc: "" <>
Subject: Re: [FD] BitDefender Total Security 2018 - Insecure Pipe Permissions


Allow me to fix this for you:

> On 6 Mar 2018, at 20:04, filipe <> wrote:
> =====[ Timeline of disclosure
> ]===============================================
> 01/24/2018 - Vendor was informed of the vulnerability.
> 01/29/2018 - Vendor did not respond.

01/25/2018 - We replied notifying you that we’ve opened a ticked with the relevant team
01/26/2018 - We asked for a working PoC
01/31/2018 - You replied with a theoretical “PoC” (no code, just a few steps which didn’t really help, sadly)
02/01/2018 - We replied asking for a script, a piece of code, a video, anything that backs up your claim since we didn’t reproduce it based on the steps you provided.
02/12/2018 - We notified you that we closed the ticket since you stopped replying

> 01/24/2018 - CVE assigned [2]
> 03/06/2018 - Advisory publication date.

We take our bugbounty programs very seriously and other than some Nigerian princes and fake LinkedIn invites we reply to _all_ reports, valid, invalid or incredibly ridiculous alike. As such, you may imagine why, when we saw an advisory with our name saying “Vendor did not respond”, the team felt a bit disappointed for failing to reply for the first time in a few years. Thankfully this was not the case.

If you still believe this is a genuine issue, exploitable in real life and you have some evidence to back that up, let us know and we’ll gladly reopen the ticket.

Alex “Jay” BALAN
Chief Security Researcher

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ