Home page logo

basics logo Security Basics mailing list archives

Re: Unresponsive Vendor
From: Matt Burnett <marukka () mac com>
Date: Thu, 20 Nov 2003 11:25:53 -0600

Im sorry if you feel that I am being immature, the main reason I would like
credit would be to add it to my resume. I haven't worked in 4.5 months and I
could use all the help I can get. Potential employers ive talked to seem to
like stuff like this. Also I was irked by it because, for other security
flaws they have given the notifier credit. If they never gave anyone credit
I could understand that, but giving credit to people from well known orgs
and not giving credit to just some guy (like me) doesn¹t make much sense.

For the person who gave the broken window analogy. I normally wouldn¹t care
if it was just some random piece of software. However I use this software on
a daily basis. And when I do get another job im sure im going to have to
support it there and worry about the security flaw.

On 11/20/03 11:00 AM, "c_brauckmiller () LEK COM" <c_brauckmiller () LEK COM>

I have a couple of comments on this.

First, and please don't take this the wrong way, let me state that I think
its a bit imature to complain about not getting credit for discovering a
bug/vuln in a software package.  I understand that you'd like credit for your
discovery, but I think your better served just releasing the fact that you
discovered it to the appropriate groups such as BugTraq.  That should be
enough.  I wouldn't count on many vendors patting you on the back publicly and
saying "Yeah we screwed up and this guy found it."

Having said that, if you haven't heard from the vendor in a month with even a
status update...I say screw'em...release the exploit.  If they don't have the
common courtesy to let you know, "Hey..we are working on it." then they are
a very good company to begin with and they should be shown that the security
community won't stand for it.  After they get nailed a couple times, hopefully
they will reconsider their methods.

My 2 cents worth.


Matt Burnett <marukka () mac com> on 11/19/2003 02:02:57 PM

To:   security-basics () securityfocus com
cc:    (bcc: Craig Brauckmiller/LEK)

Subject:  Unresponsive Vendor

I have a moral question for all of you. I have notified a major software
company in the past about security issues with their software. I did email
them with enough details to replicate the issue. However they never
responded to my email, and a couple years later they fixed the issue and did
not give credit were due. I'm sure other researchers contacted them with a
similar but different way to exploit the flaw, but no one at all is given
credit. Now I have a local d0s for their product and have contacted them
again, this time via phone. After notifying them they gave me a case number
and said a engineer would be in contact with me in approximately a week. I'm
guessing that something similar will happen and this issue wont get fixed
for a while, and once again I wont get credit. I'm just wondering what would
be a fair time frame before releasing a exploit, and what I could/should do
about receiving credit. I have looked at some papers online about when you
should release a exploit but none i've read yet give any guidance on what
you should do if the vendor is dragging their feet.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]