Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Publicly Disclosing A Vulnerability
From: Valdis.Kletnieks () vt edu
Date: Wed, 05 Oct 2005 11:24:17 -0400

On Wed, 05 Oct 2005 08:17:41 PDT, Steve Friedl said:

Your customer still has to work with the vendor after you're gone, and
going public - which I think is a fine idea in general - could sour a
relationship that's not yours to sour. Ask the customer what they want
to do with this, but if you're covered under NDA (as you surely must be)
I'm pretty sure you have to sit on it if they tell you to.

One thing to remember is that the customer has some leverage with the vendor,
since they can say "What are you going to do about this problem our contractor
found in your stuff?  And is your head-in-the-sand attitude indicative of how
you intend to deal with *other* problems as well?  Should we start considering
moving our business elsewhere to another vendor that isn't as coated in ostrich

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]