mailing list archives
Re: Publicly Disclosing A Vulnerability
From: Simon Richter <Simon.Richter () hogyros de>
Date: Wed, 05 Oct 2005 17:42:21 +0200
Josh Perrymon wrote:
While performing a pen-test for a large company I found a directory
transversal vulnerability in a search program—
Were you testing for the company that produces that software? If so,
they are the customer, and since they are paying you, they get to choose
who is going to be informed (any contract I would ever set up with a pen
tester would include such a clause, and unless they are completely
clueless I bet yours does too).
He told me that they found the hole internally a couple months ago but
they don’t want it public and they said I should not tell anyone about
it because they don’t want their customers at risk.
Bullshit. Their customers are at risk now. If they want to minimize the
impact on their customers, they should prepare a fix, then notify large
customers (who need to go through some rollout procedure) under an NDA
and inform the remaining customers about an upcoming security fix to be
released on (insert timestamp two days later).
In my experience, there are two or three customers who will demand to
have the fix instantaneously (with at least five exclamation marks),
but the majority understands that this strategy is most beneficial to
them as they have time to make sure a techie is ready to implement the
fix as soon as the vulnerability is disclosed.
 cue obvious Terry Pratchett reference
Description: OpenPGP digital signature
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/