lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed Oct  5 16:24:51 2005
From: Valdis.Kletnieks at (
Subject: Publicly Disclosing A Vulnerability 

On Wed, 05 Oct 2005 08:17:41 PDT, Steve Friedl said:

> Your customer still has to work with the vendor after you're gone, and
> going public - which I think is a fine idea in general - could sour a
> relationship that's not yours to sour. Ask the customer what they want
> to do with this, but if you're covered under NDA (as you surely must be)
> I'm pretty sure you have to sit on it if they tell you to.

One thing to remember is that the customer has some leverage with the vendor,
since they can say "What are you going to do about this problem our contractor
found in your stuff?  And is your head-in-the-sand attitude indicative of how
you intend to deal with *other* problems as well?  Should we start considering
moving our business elsewhere to another vendor that isn't as coated in ostrich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url :

Powered by blists - more mailing lists