-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Notify the vendor, wait 30 days and disclose it under a false name
from some arb e-mail addy. That way your customer never has to know
it's you who disclosed it. You won't get the credit for discovering
it, but does that really matter?
xyberpix
On 5 Oct 2005, at 15:52, Josh Perrymon wrote:
Ok,
I believe in working with the Vendor to inform then of vulnerable
software upon finding it in the wild so on…
But I have a question…
While performing a pen-test for a large company I found a directory
transversal vulnerability in a search program―
I used Achilles and inserted the DT attack in a hidden field and
posted it to the web server. This returned the win.ini..
Cool..
Well… I called the company up and got the lead engineer on the
phone.. He seemed a little pissed.
He told me that they found the hole internally a couple months ago
but they don’t want it public and they said I should not tell
anyone about it because they don’t want their customers at risk.
So I ask the list- what is more beneficial to the customer? Not
publicly disclosing the risk and hoping that they follow the
suggestions of the vendor to upgrade? Or waiting 30 days and send
it out?
Joshua Perrymon
Sr. Security Consultant
Network Armor
A Division of Integrated Computer Solutions
perrymonj( at )networkarmor.com
Cell. 850.345.9186
Office: 850.205.7501 x1104
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFDQ+rTcRMkOnlkwMERArXnAJ9T04F5Vo7PvuBIz889XpCrj00SnQCeJEb+
mc8ZKiCdog2PlppQ4xgomBU=
=IPfz
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
