Full Disclosure mailing list archives

Re: Publicly Disclosing A Vulnerability

From: "Martijn Lievaart" <m () rtij nl>
Date: Wed, 5 Oct 2005 17:18:13 +0200 (CEST)

Josh Perrymon zei:

Ok,

[ directory transversal vulnerability in a search program ]


So I ask the list- what is more beneficial to the customer? Not publicly
disclosing the risk and hoping that they follow the suggestions of the
vendor to upgrade?  Or waiting 30 days and send it out?


First look at the contract for the pentest. Are you allowed to disclose
this? Often your contract prevents this. Be careful!

M4
(but then magically someone else who is not under contract or NDA finds
this bug a few weeks later....)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Publicly Disclosing A Vulnerability Josh Perrymon (Oct 05)
- Re: Publicly Disclosing A Vulnerability xyberpix (Oct 05)
- Re: Publicly Disclosing A Vulnerability c0ntex (Oct 05)
- Re: Publicly Disclosing A Vulnerability phased (Oct 05)
- Re: Publicly Disclosing A Vulnerability Steve Friedl (Oct 05)
  - Re: Publicly Disclosing A Vulnerability Valdis . Kletnieks (Oct 05)
- Re: Publicly Disclosing A Vulnerability Donald J. Ankney (Oct 05)
- Re: Publicly Disclosing A Vulnerability Simon Richter (Oct 05)
- Re: Publicly Disclosing A Vulnerability Martijn Lievaart (Oct 05)
- RE: Publicly Disclosing A Vulnerability Paul Melson (Oct 05)
- RE: Publicly Disclosing A Vulnerability Adriel Desautels (Oct 05)
- <Possible follow-ups>
- RE: Publicly Disclosing A Vulnerability Todd Towles (Oct 05)
- Re: Publicly Disclosing A Vulnerability FX (Oct 05)
- RE: Publicly Disclosing A Vulnerability Josh Perrymon (Oct 05)