lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9058.217.166.60.19.1128525493.squirrel@ma.rtij.nl>
Date: Wed Oct  5 17:25:31 2005
From: m at rtij.nl (Martijn Lievaart)
Subject: Publicly Disclosing A Vulnerability

Josh Perrymon zei:
> Ok,
>
[ directory transversal vulnerability in a search program ]
>
> So I ask the list- what is more beneficial to the customer? Not publicly
> disclosing the risk and hoping that they follow the suggestions of the
> vendor to upgrade?  Or waiting 30 days and send it out?

First look at the contract for the pentest. Are you allowed to disclose
this? Often your contract prevents this. Be careful!

M4
(but then magically someone else who is not under contract or NDA finds
this bug a few weeks later....)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ