[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] University of Central Florida Multiple LFI
- To: Hack Talk <hacktalkblog@xxxxxxxxx>
- Subject: Re: [Full-disclosure] University of Central Florida Multiple LFI
- From: Shawn Merdinger <shawnmer@xxxxxxxxx>
- Date: Sat, 19 Feb 2011 12:40:11 -0500
Hi,
On Sat, Feb 19, 2011 at 12:04, Hack Talk <hacktalkblog@xxxxxxxxx> wrote:
> countless attempt to contact both their infosec team, the "tech rangers",
> and their personal web developers with no contact back or patching of these
> vulnerabilities I decided to post these up on FD. There are still many,
> _many_ more vulnerabilities which I have yet to disclose as I'm still giving
> them a chance to patch them.
I'll side-step the discussion of possible ethical and legal ramifications here.
However, I humbly suggest there are ways to escalate ones concerns in
most organizations, especially open ones like public .edus. For
example, one could, after "no contact back" from a .edus security/site
owners could notify the .edu's general counsel and president's office,
perhaps cc'ing US-CERT and CERT/CC as well. Having your process,
intentions and outcomes documented in a disclosure policy that you've
provided to all parties from initial communication also might be
something to consider.
Cheers,
--scm
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/