Home page logo
/

basics logo Security Basics mailing list archives

RE: Unresponsive Vendor
From: "Randy Golly" <rcgolly () vermeertexas com>
Date: Thu, 20 Nov 2003 14:39:06 -0600

Why do you need to be recognized or be credited for your findings?  I
think that the fact that you found the exploit and pointed it out to the
vendor has your moral responsibility covered.  

Be careful in taking the step of "announcing to the world" your exploit
findings.  There was a recent case of a security specialist jailed for
disclosing a website security hole to users.  It is a unique
interpretation of the Computer Fraud and Abuse Act, where a California
man was imprisoned for warning users of a breach in their web based
email. It was said that he "impaired the integrity" of the network and
reputation of the provider. 

See the article at http://www.securityfocus.com/columnists/179

Randy Golly
IT Director
Vermeer Equipment of Texas, Inc.

-----Original Message-----
From: Matt Burnett [mailto:marukka () mac com] 
Sent: Wednesday, November 19, 2003 1:03 PM
To: security-basics () securityfocus com
Subject: Unresponsive Vendor

I have a moral question for all of you. I have notified a major software
company in the past about security issues with their software. I did
email
them with enough details to replicate the issue. However they never
responded to my email, and a couple years later they fixed the issue and
did
not give credit were due. I'm sure other researchers contacted them with
a
similar but different way to exploit the flaw, but no one at all is
given
credit. Now I have a local d0s for their product and have contacted them
again, this time via phone. After notifying them they gave me a case
number
and said a engineer would be in contact with me in approximately a week.
I'm
guessing that something similar will happen and this issue wont get
fixed
for a while, and once again I wont get credit. I'm just wondering what
would
be a fair time frame before releasing a exploit, and what I could/should
do
about receiving credit. I have looked at some papers online about when
you
should release a exploit but none i've read yet give any guidance on
what
you should do if the vendor is dragging their feet.


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]