| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9E97F0997FB84D42B221B9FB203EFA270186862A@dc1ms2.msad.brookshires.net> Date: Wed Oct 5 16:23:00 2005 From: toddtowles at brookshires.com (Todd Towles) Subject: Publicly Disclosing A Vulnerability I would say tell the vendor that they need to issue a fix and a statement. Come to a agree with the vendor on a release time. It isn't your software and there truly isn't your responible to protect THEIR customers, that is their job. It is a serious attack it sees and it shouldn't be open in the public. If it is fixed in the new version then a security release by the vender would give security and network admin at companies the ammo needed to buy the new version. Don't vendors understand that part..gezz. Most PHBs need a good reason to upgrade. Security holes are that ammo... If they fail to protect THEIR customers, then you may have to do what X says...to force their hand. Sad that it even has to be a option however. > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk > [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf > Of xyberpix > Sent: Wednesday, October 05, 2005 10:02 AM > To: Josh Perrymon > Cc: full-disclosure@...ts.grok.org.uk > Subject: Re: [Full-disclosure] Publicly Disclosing A Vulnerability > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Notify the vendor, wait 30 days and disclose it under a false > name from some arb e-mail addy. That way your customer never > has to know it's you who disclosed it. You won't get the > credit for discovering it, but does that really matter? > > xyberpix > > On 5 Oct 2005, at 15:52, Josh Perrymon wrote: > > > Ok, > > > > > > > > I believe in working with the Vendor to inform then of vulnerable > > software upon finding it in the wild so on... > > > > But I have a question... > > > > > > > > While performing a pen-test for a large company I found a directory > > transversal vulnerability in a search program? > > > > I used Achilles and inserted the DT attack in a hidden field and > > posted it to the web server. This returned the win.ini.. > > > > Cool.. > > > > > > > > Well... I called the company up and got the lead engineer on > the phone.. > > He seemed a little pissed. > > > > He told me that they found the hole internally a couple > months ago but > > they don't want it public and they said I should not tell > anyone about > > it because they don't want their customers at risk. > > > > > > > > So I ask the list- what is more beneficial to the customer? Not > > publicly disclosing the risk and hoping that they follow the > > suggestions of the vendor to upgrade? Or waiting 30 days and send > > it out? > > > > > > > > > > > > > > > > Joshua Perrymon > > > > Sr. Security Consultant > > > > Network Armor > > > > A Division of Integrated Computer Solutions > > > > perrymonj( at )networkarmor.com > > > > Cell. 850.345.9186 > > > > Office: 850.205.7501 x1104 > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (Darwin) > > iD8DBQFDQ+rTcRMkOnlkwMERArXnAJ9T04F5Vo7PvuBIz889XpCrj00SnQCeJEb+ > mc8ZKiCdog2PlppQ4xgomBU= > =IPfz > -----END PGP SIGNATURE----- > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists