Re: Unresponsive Vendor

[JohnNicholson () aol com]

I would argue that in most cases it's possible to release a general description of the vulnerability that would not be 
tantamount to releasing an exploit, but that aside... (Yes, I realize that if you give people enough of a clue they 
will be able to figure it out for themselves, but at least you prevent the script kiddies from using a ready made 
exploit.) 

I'd suggest that you send the vendor a letter via registered mail, return receipt requested, spelling out the 
vulnerability, documenting your conversation with the engineer and the fact that you haven't heard anything.  Propose a 
timetable for them to respond to you to discuss how they are going to resolve the problem and how you and they 
(together) can announce the vulnerability in a manner that informs the user base without creating a substantial risk of 
exploitation.

You should make it clear that you feel that if they do not respond, other users of their product will be at risk, and 
you will be required to disclose the nature of the vulnerability via other means so that other users will be able to 
protect themselves.

I'd suggest cc'ing the letter to someone you trust at Securty Focus or maybe someone like Russ Cooper, Thor Larholm or 
someone of similar stature so that, if the vendor just discloses without giving you credit, you've got someone who can 
vouch for the fact that you found that vulnerability. 

Hope this helps.

John


In a message dated 11/19/2003 2:02:57 PM Eastern Standard Time, Matt Burnett <marukka () mac com> writes:

> I have a moral question for all of you. I have notified a major software
> company in the past about security issues with their software. I did email
> them with enough details to replicate the issue. However they never
> responded to my email, and a couple years later they fixed the issue and did
> not give credit were due. I'm sure other researchers contacted them with a
> similar but different way to exploit the flaw, but no one at all is given
> credit. Now I have a local d0s for their product and have contacted them
> again, this time via phone. After notifying them they gave me a case number
> and said a engineer would be in contact with me in approximately a week. I'm
> guessing that something similar will happen and this issue wont get fixed
> for a while, and once again I wont get credit. I'm just wondering what would
> be a fair time frame before releasing a exploit, and what I could/should do
> about receiving credit. I have looked at some papers online about when you
> should release a exploit but none i've read yet give any guidance on what
> you should do if the vendor is dragging their feet.
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------