Home page logo

basics logo Security Basics mailing list archives

RE: Unresponsive Vendor
From: "Bruce Davis" <talesian () istop com>
Date: Thu, 20 Nov 2003 15:35:44 -0500

I'm not sure how many vendors will say that it is standard but amoung the
hacking community that does notify vendors of exploits, I believe that the
RFP policy is considered to be standard and fair. As well as being fairly
straight forward.


-----Original Message-----
From: Matt Burnett [mailto:marukka () mac com]
Sent: November 19, 2003 2:03 PM
To: security-basics () securityfocus com
Subject: Unresponsive Vendor

I have a moral question for all of you. I have notified a major software
company in the past about security issues with their software. I did email
them with enough details to replicate the issue. However they never
responded to my email, and a couple years later they fixed the issue and did
not give credit were due. I'm sure other researchers contacted them with a
similar but different way to exploit the flaw, but no one at all is given
credit. Now I have a local d0s for their product and have contacted them
again, this time via phone. After notifying them they gave me a case number
and said a engineer would be in contact with me in approximately a week. I'm
guessing that something similar will happen and this issue wont get fixed
for a while, and once again I wont get credit. I'm just wondering what would
be a fair time frame before releasing a exploit, and what I could/should do
about receiving credit. I have looked at some papers online about when you
should release a exploit but none i've read yet give any guidance on what
you should do if the vendor is dragging their feet.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]