| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20051005151741.GA9510@linux.unixwiz.net> Date: Wed Oct 5 16:17:57 2005 From: steve at unixwiz.net (Steve Friedl) Subject: Publicly Disclosing A Vulnerability On Wed, Oct 05, 2005 at 09:52:14AM -0500, Josh Perrymon wrote: > Well... I called the company up and got the lead engineer on > the phone.. He seemed a little pissed. This seems to be a common vendor response: yuck. > So I ask the list- what is more beneficial to the customer? Not publicly > disclosing the risk and hoping that they follow the suggestions of the > vendor to upgrade? Or waiting 30 days and send it out? If the vendor knows which customer you're doing the work for, it's not really your call to make. Your customer still has to work with the vendor after you're gone, and going public - which I think is a fine idea in general - could sour a relationship that's not yours to sour. Ask the customer what they want to do with this, but if you're covered under NDA (as you surely must be) I'm pretty sure you have to sit on it if they tell you to. This is a customer-service issue, not a security issue. And a bummer. Steve --- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@...xwiz.net
Powered by blists - more mailing lists