lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: aditya.deshmukh at online.gateway.technolabs.net (Aditya, ALD [Aditya Lalit Deshmukh])
Subject: Vendor casual towards vulnerability found in product

> 1. Would an exploit like this be said to be severe?  

yes i assume from your email that the url would have to recofig the server from the scratch then not serious but if any file can be deleted then it is serious 

> 2. Is the vendor right in their approach to this issue?

no, the vendor should release a full advisory about this and at a minimum release the patch for this 

> 3. How do I make public the vulnerability? (Vendor has given 
> permission for
> the same) 

google around the rain forest puppy's disclosure policy for this, it is really good for this 

> 4. Ok, I'll rather ask... *should* I make public details of this
> vulnerability? (Since I know of sites using this app server, and 
> they may be
> taken down if the exploit goes out)
> 

don't make it public without giving all the people affected a chance to protect their system, however you may release something like a one line description of this and *not* give details to anyone except the vendor 


-aditya


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ