| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY9-DAV9NVxm9NbiYy0004e32c@hotmail.com> From: se_cur_ity at hotmail.com (morning_wood) Subject: Vendor casual towards vulnerability found in product > I have the following queries > > 1. Would an exploit like this be said to be severe? yes > 2. Is the vendor right in their approach to this issue? not entirely > 3. How do I make public the vulnerability? (Vendor has given permission for > the same) post it here, on your site, or another security list > 4. Ok, I'll rather ask... *should* I make public details of this > vulnerability? (Since I know of sites using this app server, and they may be > taken down if the exploit goes out) yes, mabey the vendor will wake up that said, It seems the vendor knows of the flaw, and is easily remedied by the aforementioned "non default" setting and documentation reflecting that it is a "good thing" to enable said option. Often a disclosure policy helps vendors "stay on track" some disclosure policys can be found at.. http://oisafety.org/ http://oisafety.org/process.html http://exploitlabs.com/disclosure-policy.html http://www.cert.org/kb/vul_disclosure.html http://www.atstake.com/research/policy/ http://www.hut.fi/~tianyuan/slides/template/template.html Donnie Werner http://exploitlabs.com
Powered by blists - more mailing lists