[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-disclosure] Publicly Disclosing A Vulnerability
- To: "xyberpix" <xyberpix@xxxxxxxxxxxx>, "Josh Perrymon" <perrymonj@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-disclosure] Publicly Disclosing A Vulnerability
- From: "Todd Towles" <toddtowles@xxxxxxxxxxxxxxx>
- Date: Wed, 5 Oct 2005 10:22:48 -0500
I would say tell the vendor that they need to issue a fix and a statement. Come
to a agree with the vendor on a release time. It isn't your software and there
truly isn't your responible to protect THEIR customers, that is their job. It
is a serious attack it sees and it shouldn't be open in the public. If it is
fixed in the new version then a security release by the vender would give
security and network admin at companies the ammo needed to buy the new version.
Don't vendors understand that part..gezz.
Most PHBs need a good reason to upgrade. Security holes are that ammo...
If they fail to protect THEIR customers, then you may have to do what X
says...to force their hand. Sad that it even has to be a option however.
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of xyberpix
> Sent: Wednesday, October 05, 2005 10:02 AM
> To: Josh Perrymon
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] Publicly Disclosing A Vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Notify the vendor, wait 30 days and disclose it under a false
> name from some arb e-mail addy. That way your customer never
> has to know it's you who disclosed it. You won't get the
> credit for discovering it, but does that really matter?
>
> xyberpix
>
> On 5 Oct 2005, at 15:52, Josh Perrymon wrote:
>
> > Ok,
> >
> >
> >
> > I believe in working with the Vendor to inform then of vulnerable
> > software upon finding it in the wild so on...
> >
> > But I have a question...
> >
> >
> >
> > While performing a pen-test for a large company I found a directory
> > transversal vulnerability in a search program―
> >
> > I used Achilles and inserted the DT attack in a hidden field and
> > posted it to the web server. This returned the win.ini..
> >
> > Cool..
> >
> >
> >
> > Well... I called the company up and got the lead engineer on
> the phone..
> > He seemed a little pissed.
> >
> > He told me that they found the hole internally a couple
> months ago but
> > they don't want it public and they said I should not tell
> anyone about
> > it because they don't want their customers at risk.
> >
> >
> >
> > So I ask the list- what is more beneficial to the customer? Not
> > publicly disclosing the risk and hoping that they follow the
> > suggestions of the vendor to upgrade? Or waiting 30 days and send
> > it out?
> >
> >
> >
> >
> >
> >
> >
> > Joshua Perrymon
> >
> > Sr. Security Consultant
> >
> > Network Armor
> >
> > A Division of Integrated Computer Solutions
> >
> > perrymonj( at )networkarmor.com
> >
> > Cell. 850.345.9186
> >
> > Office: 850.205.7501 x1104
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFDQ+rTcRMkOnlkwMERArXnAJ9T04F5Vo7PvuBIz889XpCrj00SnQCeJEb+
> mc8ZKiCdog2PlppQ4xgomBU=
> =IPfz
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/