If you really want to make sure that this issue gets resolved, and you
are not prohibited from reporting this vulnerability (via contract or
disclosure agreement) you can report it the the CERT coordination center:
Here's the form to report the vulnerability: http://w w w
.cert.org/reporting/vulnerability_form.txt
and send it to cert_at_cert_dot_org
as well as information on what happens when you report a vulnerability:
http://w w w.cert.org/kb/vul_disclosure.html
Regards,
Don
-------- Original Message --------
Subject: Full Disclosure of Security Vulnerabilities
From: jfvanmeter () comcast net
To: pen-test () securityfocus com
Date: 10/31/2007 1:00 PM
Hello Everyone, I would llike to get your thoughts on Full Disclosure of
Security Vulnerabilities . About 3 weeks ago during a per-test of a software
suite for a client of myine, I found a directory traversal in a software suite
that my client has installed on thousands of workstation.
I send screen shots and a packet capture to the vendor and they were able to
to recreate the exploit.
my cleint doesn't want to go public with it because of the thousands of
workstations and servers that its installed on. I also don't believe the vendor
will go public with it, what would you all do?
Best Regards --John
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
Intro
