Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Publicly Disclosing A Vulnerability
From: "Donald J. Ankney" <dankney () sunsetfilms com>
Date: Wed, 5 Oct 2005 08:25:00 -0700

A big part of the equation is your contract with your client. Did you sign an NDA? If you did, then the decision really isn't yours anymore -- it's your clients (as they now own the results of your work, having paid you to conduct it).

NDAs can really suck sometimes -- never sign one lightly.

On Oct 5, 2005, at 7:52 AM, Josh Perrymon wrote:

Ok,



I believe in working with the Vendor to inform then of vulnerable software upon finding it in the wild so on…

But I have a question…



While performing a pen-test for a large company I found a directory transversal vulnerability in a search program—

I used Achilles and inserted the DT attack in a hidden field and posted it to the web server. This returned the win.ini..

Cool..



Well… I called the company up and got the lead engineer on the phone.. He seemed a little pissed.

He told me that they found the hole internally a couple months ago but they don’t want it public and they said I should not tell anyone about it because they don’t want their customers at risk.



So I ask the list- what is more beneficial to the customer? Not publicly disclosing the risk and hoping that they follow the suggestions of the vendor to upgrade? Or waiting 30 days and send it out?







Joshua Perrymon

Sr. Security Consultant

Network Armor

A Division of Integrated Computer Solutions

perrymonj( at )networkarmor.com

Cell. 850.345.9186

Office: 850.205.7501 x1104



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault