to continue the "it takes two to tango" metaphor, i will say the following
(inline):
On Wed, 31 Jul 2002, Chris Paget wrote:
> 2) R attempts to contact V to reveal the bug.
> 3) V does not respond.
this is the fault of the vendor for not having a well known and publicized
contact point for handling security concerns. furthermore, if publicly
published email addresses for the company (ie webmaster, abuse,
postmaster, support, security) do NOT have the correct stuff forwarded to
the security contact, there is an organizational breakdown for the vendor.
this has been beaten to death by this point, there is no reason this
should still be the case.
> 4) R attempts communication several times over the next 90 days, but
> never receives a response.
if the researcher doesn't attempt to work with an established third party
(ie CERT, SecurityFocus) to get this contact made, they are acting in an
irresponsible fashion. at least the researcher waited 90 days, though.
so, it does take two to tango, both sides have to have made honest efforts
to make sure this process of vulnerability notification can work as
smoothly as possible. this has been the subject of many recent discussion,
including standards drafts. no excuses for not attempting to adhere to
these best practices for either side of the issue.
___________________________
jose nazario, ph.d. [EMAIL PROTECTED]
http://www.monkey.org/~jose/
