Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: FW: Publication of Vulnerabilities in Vendor Code

Re: FW: Publication of Vulnerabilities in Vendor Code

From: D.Snezhkov <dsnezhkov_at_gmail.com>
Date: Fri, 10 Mar 2006 17:30:17 -0600

Hi Allen,

I was faced with similar situation some time ago. I have opted to
post the vulnerability on the public list after multiple attempts to
work with the vendor.

Later on I was contacted by the vendor and found out that the email
communication
was routed incorrectly within the company due to unconventional issue
or just the sheer size of the company.

I would advise to making another attempt to contact them by placing a
call into the company and getting in touch with the appropriate
people . In my experience they may be unaware of the problem and quite
interested in fixing the issue.

Hope that helps.

Dimitry.

On 3/10/06, Brokken, Allen P. <BrokkenA_at_missouri.edu> wrote:
> Are there any kind of industry standard, or recommended guidelines for "going public" with holes you've found in vendor code that have not yet been disclosed by the vendor?
>
> I recently identified a significant hole in a commercial package, and my research has shown that it has not been published in any format to date. I have contacted the vendor, and gave them prototype exploit code that utilized the vulnerability. They have a significant user base, and at this point they have not published a patch, a vulnerability report, or set of mitigation strategies. At this point it's been 4 weeks since my initial identification. I've received an initial acknowledgement email, followed by an email saying they were studying the problem. I have yet to get any kind of schedule or commitment to fix the issue.
>
> I would appreciate insights into how to handle this issue.
>
>
> Allen Brokken
> Information Security and Account Management - IAT Services - University of Missouri -brokkena_at_missouri.edu- (573)884-8708
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. See for yourself.
> Download AppScan 6.0 today.
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
> --------------------------------------------------------------------------
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
--------------------------------------------------------------------------
Received on Mar 10 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]