| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTinem31X_2+KN46fAw-3K-bVw5SYjLreo29_cpZ-@mail.gmail.com> Date: Sat, 19 Feb 2011 12:40:11 -0500 From: Shawn Merdinger <shawnmer@...il.com> To: Hack Talk <hacktalkblog@...il.com> Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: University of Central Florida Multiple LFI Hi, On Sat, Feb 19, 2011 at 12:04, Hack Talk <hacktalkblog@...il.com> wrote: > countless attempt to contact both their infosec team, the "tech rangers", > and their personal web developers with no contact back or patching of these > vulnerabilities I decided to post these up on FD. There are still many, > _many_ more vulnerabilities which I have yet to disclose as I'm still giving > them a chance to patch them. I'll side-step the discussion of possible ethical and legal ramifications here. However, I humbly suggest there are ways to escalate ones concerns in most organizations, especially open ones like public .edus. For example, one could, after "no contact back" from a .edus security/site owners could notify the .edu's general counsel and president's office, perhaps cc'ing US-CERT and CERT/CC as well. Having your process, intentions and outcomes documented in a disclosure policy that you've provided to all parties from initial communication also might be something to consider. Cheers, --scm _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists