Bugtraq: Question About Ethics and Full Disclosure

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Question About Ethics and Full Disclosure

From: "Tom" <tommy () providesecurity com>
Date: Thu, 20 May 2004 15:43:21 -0400


I have sat on 2 vulnerabilities for a shopping cart for over a year and
nothing has changed.  Now I have found a 3rd with new services added to this
shopping cart. 

I have emailed support several times but NEVER get a response.
As a security professional and not to be Unethical what would be a
recommended path to follow?
        
* Notify their customers (several 100)
* Notify the Payment Gateways they are Authorized to use 
(VeriSign, PayPal, Authorize.NET)
* Be a total A** and just release it to all the mailing lists and at DEFCON

BTW...I have sent several emails to various parts of VeriSign and NOBODY has
responded as to the proper person to notify within the organization about
this. I chose VeriSign because this cart is at the Top of Their List!

IF anyone knows who to contact from VeriSign, authorize.net and PayPal about
this please email me directly.

Thanks,

Tom Ryan

By Date By Thread

Current thread:

Question About Ethics and Full Disclosure Tom (May 20)
- Re: Question About Ethics and Full Disclosure T.J. (May 20)
- Re: Question About Ethics and Full Disclosure Michal Zalewski (May 21)
- <Possible follow-ups>
- RE: Question About Ethics and Full Disclosure Drew Copley (May 20)
- RE: Question About Ethics and Full Disclosure Kevin E. Casey (May 20)