[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] University of Central Florida Multiple LFI



Hey Shawn,

I typically follow the Rain Forest Puppy Responsible Disclosure Policy which
I'm sure many people have read. I even extended the contact time to 2 weeks
since Universities are quite busy places. During those 2 weeks I personally
emailed them back 5 times and did not get a single response back. This is
not the first time the University has neglected to respond to
vulnerabilities affecting their sites and as such I decided that enough was
enough and that by publicly disclosing these vulnerabilities they would be
forced to patch their code. I've worked with many Universities in the past
to patch there vulnerabilities and they have responded typically within 12
hours of me sending my initial email alerting them to the issue. Being a
.edu does not exempt you from hackers wanting into your system and it does
not mean you can get away with having gaping holes in security for months
without patching them.

Full Disclosure as a methodology is about forcing people to fix their holes
which is exactly what I was hoping would happen to UCF.

Thanks for doing your best to extinguish the flamewar that was starting :D.


Luis Santana



On Sat, Feb 19, 2011 at 12:40 PM, Shawn Merdinger <shawnmer@xxxxxxxxx>wrote:

> Hi,
>
> On Sat, Feb 19, 2011 at 12:04, Hack Talk <hacktalkblog@xxxxxxxxx> wrote:
> > countless attempt to contact both their infosec team, the "tech rangers",
> > and their personal web developers with no contact back or patching of
> these
> > vulnerabilities I decided to post these up on FD. There are still many,
> > _many_ more vulnerabilities which I have yet to disclose as I'm still
> giving
> > them a chance to patch them.
>
> I'll side-step the discussion of possible ethical and legal ramifications
> here.
>
> However, I humbly suggest there are ways to escalate ones concerns in
> most organizations, especially open ones like public .edus.  For
> example, one could, after "no contact back" from a .edus security/site
> owners could notify the .edu's general counsel and president's office,
> perhaps cc'ing US-CERT and CERT/CC as well.  Having your process,
> intentions and outcomes documented in a disclosure policy that you've
> provided to all parties from initial communication also might be
> something to consider.
>
> Cheers,
> --scm
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/