Like wind, better out than in. On 05/10/05, Josh Perrymon <[EMAIL PROTECTED]> wrote: > > > > Ok, > > > > I believe in working with the Vendor to inform then of vulnerable software > upon finding it in the wild so on… > > But I have a question… > > > > While performing a pen-test for a large company I found a directory > transversal vulnerability in a search program— > > I used Achilles and inserted the DT attack in a hidden field and posted it > to the web server. This returned the win.ini.. > > Cool.. > > > > Well… I called the company up and got the lead engineer on the phone.. He > seemed a little pissed. > > He told me that they found the hole internally a couple months ago but they > don't want it public and they said I should not tell anyone about it because > they don't want their customers at risk. > > > > So I ask the list- what is more beneficial to the customer? Not publicly > disclosing the risk and hoping that they follow the suggestions of the > vendor to upgrade? Or waiting 30 days and send it out? > > > > > > > > Joshua Perrymon > > Sr. Security Consultant > > Network Armor > > A Division of Integrated Computer Solutions > > perrymonj( at )networkarmor.com > > Cell. 850.345.9186 > > Office: 850.205.7501 x1104 > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > >
-- regards c0ntex
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
