Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Publicly Disclosing A Vulnerability
From: "Todd Towles" <toddtowles () brookshires com>
Date: Wed, 5 Oct 2005 10:22:48 -0500

I would say tell the vendor that they need to issue a fix and a statement. Come to a agree with the vendor on a release 
time. It isn't your software and there truly isn't your responible to protect THEIR customers, that is their job. It is 
a serious attack it sees and it shouldn't be open in the public. If it is fixed in the new version then a security 
release by the vender would give security and network admin at companies the ammo needed to buy the new version. Don't 
vendors understand that part..gezz.

Most PHBs need a good reason to upgrade. Security holes are that ammo...

If they fail to protect THEIR customers, then you may have to do what X says...to force their hand. Sad that it even 
has to be a option however.

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk 
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
Of xyberpix
Sent: Wednesday, October 05, 2005 10:02 AM
To: Josh Perrymon
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Publicly Disclosing A Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Notify the vendor, wait 30 days and disclose it under a false 
name from some arb e-mail addy. That way your customer never 
has to know it's you who disclosed it. You won't get the 
credit for discovering it, but does that really matter?

xyberpix

On 5 Oct 2005, at 15:52, Josh Perrymon wrote:

Ok,



I believe in working with the Vendor to inform then of vulnerable 
software upon finding it in the wild so on...

But I have a question...



While performing a pen-test for a large company I found a directory 
transversal vulnerability in a search program―

I used Achilles and inserted the DT attack in a hidden field and 
posted it to the web server. This returned the win.ini..

Cool..



Well... I called the company up and got the lead engineer on 
the phone.. 
He seemed a little pissed.

He told me that they found the hole internally a couple 
months ago but 
they don't want it public and they said I should not tell 
anyone about 
it because they don't want their customers at risk.



So I ask the list- what is more beneficial to the customer? Not  
publicly disclosing the risk and hoping that they follow the  
suggestions of the vendor to upgrade?  Or waiting 30 days and send  
it out?







Joshua Perrymon

Sr. Security Consultant

Network Armor

A Division of Integrated Computer Solutions

perrymonj( at )networkarmor.com

Cell. 850.345.9186

Office: 850.205.7501 x1104



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDQ+rTcRMkOnlkwMERArXnAJ9T04F5Vo7PvuBIz889XpCrj00SnQCeJEb+
mc8ZKiCdog2PlppQ4xgomBU=
=IPfz
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]