lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed Oct  5 20:38:58 2005
From: adesautels at comcast.net (Adriel Desautels)
Subject: Publicly Disclosing A Vulnerability

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Interesting, 
    I remember back when KF and I were running SNOsoft we executed a
research project against HP's Tru64. We contacted the vendor (HP) in
good faith and provided them with information regarding the
vulnerabilities that we'd discovered. The vendor immediatley
attempted to quash our research in an attempt to either save face or
save dollars, still not sure which, but the end result was some
serious turmoil and a lot of good and bad press for both sides.  If
you are concerned with your public/business image then I'd suggest
that you consider disclosure without credit as suggested by xyberpix.
My personal opinion is in support of disclosing the information as I
feel that it will help the people that know how to protect
themselves, protect themselves. 
 
- -Adriel


________________________________

	From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Josh
Perrymon
	Sent: Wednesday, October 05, 2005 10:52 AM
	To: full-disclosure@...ts.grok.org.uk
	Subject: [Full-disclosure] Publicly Disclosing A Vulnerability
	
	

	Ok,

	 

	I believe in working with the Vendor to inform then of vulnerable
software upon finding it in the wild so on.

	But I have a question.

	 

	While performing a pen-test for a large company I found a directory
transversal vulnerability in a search program-

	I used Achilles and inserted the DT attack in a hidden field and
posted it to the web server. This returned the win.ini..

	Cool..

	 

	Well. I called the company up and got the lead engineer on the
phone.. He seemed a little pissed.

	He told me that they found the hole internally a couple months ago
but they don't want it public and they said I should not tell anyone
about it because they don't want their customers at risk.

	 

	So I ask the list- what is more beneficial to the customer? Not
publicly disclosing the risk and hoping that they follow the
suggestions of the vendor to upgrade?  Or waiting 30 days and send it
out?

	 

	 

	 

	Joshua Perrymon

	Sr. Security Consultant

	Network Armor

	A Division of Integrated Computer Solutions

	perrymonj( at )networkarmor.com <mailto:perrymonj@...workarmor.com> 

	Cell. 850.345.9186

	Office: 850.205.7501 x1104

	 


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: http://www.secnetops.com

iQA/AwUBQ0QcaJNLRT/rHZe1EQJ3+wCgzJRX8HT8VyOh3iLa5003Gelp/4wAni38
kUHdtMmiEFdUVHmq60HGL+jd
=F1BG
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGPexch.htm.pgp
Type: application/octet-stream
Size: 2319 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051005/9901a553/PGPexch.htm.obj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ