| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20051005163827.GQ5321@starhacker.org>
Date: Wed Oct 5 19:28:48 2005
From: fx at phenoelit.de (FX)
Subject: Publicly Disclosing A Vulnerability
Hi List,
Hi Josh,
with all due respect for your work and your desire to perform responsible
disclosure, did you perform the test for a client of NetworkArmor? If so,
your company states on their web page :
"The NetworkArmor division of Integrated Computer Solutions, Inc. provides
military-grade Information Security (InfoSec) Consulting Services to
enterprise-class commercial businesses, non-profit organizations, educational
institutions, and government agencies. Our certified InfoSec experts guide
clients in developing comprehensive programs to secure information assets."
I don't know about the military part, but in enterprise-class, it's usually
pretty clear who owns the vulnerability found on a paid for pen-test.
Therefore, as others already pointed out, it should not be your call to
disclose the vulnerability.
My advise would be to focus on your customer and see what would be beneficial
for him, which in this case probably is a fix from the vendor. This, in turn,
would also be beneficial for the other customers of this vendor, since the fix
would be produced and others could patch as well. And if your customer or the
vendor publishes, they might even give you credit.
cheers
FX
--
FX <fx@...noelit.de>
Phenoelit (http://www.phenoelit.de)
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
Powered by blists - more mailing lists