[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Publicly Disclosing A Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Publicly Disclosing A Vulnerability
From: "Martijn Lievaart" <m@xxxxxxx>
Date: Wed, 5 Oct 2005 17:18:13 +0200 (CEST)

Josh Perrymon zei:
> Ok,
>
[ directory transversal vulnerability in a search program ]
>
> So I ask the list- what is more beneficial to the customer? Not publicly
> disclosing the risk and hoping that they follow the suggestions of the
> vendor to upgrade?  Or waiting 30 days and send it out?

First look at the contract for the pentest. Are you allowed to disclose
this? Often your contract prevents this. Be careful!

M4
(but then magically someone else who is not under contract or NDA finds
this bug a few weeks later....)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Publicly Disclosing A Vulnerability
  - From: Josh Perrymon

Prev by Date: [Full-disclosure] Tellme 1.2
Next by Date: RE: [Full-disclosure] Publicly Disclosing A Vulnerability
Previous by thread: Re: [Full-disclosure] Publicly Disclosing A Vulnerability
Next by thread: RE: [Full-disclosure] Publicly Disclosing A Vulnerability
Index(es):
- Date
- Thread