Hi John,
Personally, I do believe the vulnerability should be disclosed soon.
However, like you mentioned, there are client systems at risk.
Has the vendor created/released a patch for the vulnerability?
If so, then ensure your client's systems are fully patched before making
the vulnerability public knowledge.
If not, then I think the vendor should be notified that the
vulnerability will be made public soon, and that they MUST release a
patch to fix the issue.
Personally, I feel that the main aim of full disclosure... is to ensure
that vendors do not become lazy with patch releases and updates.
Regards,
Junaid
jfvanmeter_at_comcast.net wrote:
> Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite that my client has installed on thousands of workstation.
>
> I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit.
>
> my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed on. I also don't believe the vendor will go public with it, what would you all do?
>
> Best Regards --John
>
--
Junaid Loonat (B.Sc CompSci & Information Systems)
Software Development
Thusa Business Support (Pty) Ltd
Website: http://www.thusa.co.za
"Without our hardships, what worth are our successes?"
Received on Nov 01 2007
Intro
