lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed Oct  5 16:17:57 2005
From: steve at unixwiz.net (Steve Friedl)
Subject: Publicly Disclosing A Vulnerability

On Wed, Oct 05, 2005 at 09:52:14AM -0500, Josh Perrymon wrote:
> Well... I called the company up and got the lead engineer on
> the phone.. He seemed a little pissed.

This seems to be a common vendor response: yuck.

> So I ask the list- what is more beneficial to the customer? Not publicly
> disclosing the risk and hoping that they follow the suggestions of the
> vendor to upgrade?  Or waiting 30 days and send it out?

If the vendor knows which customer you're doing the work for, it's not
really your call to make.

Your customer still has to work with the vendor after you're gone, and
going public - which I think is a fine idea in general - could sour a
relationship that's not yours to sour. Ask the customer what they want
to do with this, but if you're covered under NDA (as you surely must be)
I'm pretty sure you have to sit on it if they tell you to.

This is a customer-service issue, not a security issue. And a bummer.

Steve

--- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve@...xwiz.net

Powered by blists - more mailing lists