| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200510051524.j95FOHLw006919@turing-police.cc.vt.edu> Date: Wed Oct 5 16:24:51 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Publicly Disclosing A Vulnerability On Wed, 05 Oct 2005 08:17:41 PDT, Steve Friedl said: > Your customer still has to work with the vendor after you're gone, and > going public - which I think is a fine idea in general - could sour a > relationship that's not yours to sour. Ask the customer what they want > to do with this, but if you're covered under NDA (as you surely must be) > I'm pretty sure you have to sit on it if they tell you to. One thing to remember is that the customer has some leverage with the vendor, since they can say "What are you going to do about this problem our contractor found in your stuff? And is your head-in-the-sand attitude indicative of how you intend to deal with *other* problems as well? Should we start considering moving our business elsewhere to another vendor that isn't as coated in ostrich feathers?"..... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051005/d109e2f2/attachment.bin
Powered by blists - more mailing lists