Home page logo

basics logo Security Basics mailing list archives

RE: Unresponsive Vendor
From: "Bob Beck" <goodfela26 () finneganfamily net>
Date: Thu, 20 Nov 2003 12:15:06 -0500

Give them some time to fix it. If the company hasn't fixed the bug after
adequate time has been given, release the exploit to a list such as this and
request that the recipients test the exploit and submit it if they see the
same results.

The more people who submit an exploit, the quicker the bug gets fixed.

As for credit, does it really matter? Getting the bug fixed should be what
you're concerned with. If the company gives you credit, great. If not, don't
worry about it.

My 2 cents.

-----Original Message-----
From: Matt Burnett [mailto:marukka () mac com]
Sent: Wednesday, November 19, 2003 2:03 PM
To: security-basics () securityfocus com
Subject: Unresponsive Vendor

I have a moral question for all of you. I have notified a major software
company in the past about security issues with their software. I did email
them with enough details to replicate the issue. However they never
responded to my email, and a couple years later they fixed the issue and did
not give credit were due. I'm sure other researchers contacted them with a
similar but different way to exploit the flaw, but no one at all is given
credit. Now I have a local d0s for their product and have contacted them
again, this time via phone. After notifying them they gave me a case number
and said a engineer would be in contact with me in approximately a week. I'm
guessing that something similar will happen and this issue wont get fixed
for a while, and once again I wont get credit. I'm just wondering what would
be a fair time frame before releasing a exploit, and what I could/should do
about receiving credit. I have looked at some papers online about when you
should release a exploit but none i've read yet give any guidance on what
you should do if the vendor is dragging their feet.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]