mailing list archives
Re: Publicly Disclosing A Vulnerability
From: FX <fx () phenoelit de>
Date: Wed, 5 Oct 2005 18:38:27 +0200
with all due respect for your work and your desire to perform responsible
disclosure, did you perform the test for a client of NetworkArmor? If so,
your company states on their web page :
"The NetworkArmor division of Integrated Computer Solutions, Inc. provides
military-grade Information Security (InfoSec) Consulting Services to
enterprise-class commercial businesses, non-profit organizations, educational
institutions, and government agencies. Our certified InfoSec experts guide
clients in developing comprehensive programs to secure information assets."
I don't know about the military part, but in enterprise-class, it's usually
pretty clear who owns the vulnerability found on a paid for pen-test.
Therefore, as others already pointed out, it should not be your call to
disclose the vulnerability.
My advise would be to focus on your customer and see what would be beneficial
for him, which in this case probably is a fix from the vendor. This, in turn,
would also be beneficial for the other customers of this vendor, since the fix
would be produced and others could patch as well. And if your customer or the
vendor publishes, they might even give you credit.
FX <fx () phenoelit de>
672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Publicly Disclosing A Vulnerability, (continued)