I would say tell the vendor that they need to issue a fix and a statement. Come to a agree with the vendor on a release time. It isn't your software and there truly isn't your responible to protect THEIR customers, that is their job. It is a serious attack it sees and it shouldn't be open in the public. If it is fixed in the new version then a security release by the vender would give security and network admin at companies the ammo needed to buy the new version. Don't vendors understand that part..gezz.
Most PHBs need a good reason to upgrade. Security holes are that ammo... If they fail to protect THEIR customers, then you may have to do what X says...to force their hand. Sad that it even has to be a option however. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of xyberpix > Sent: Wednesday, October 05, 2005 10:02 AM > To: Josh Perrymon > Cc: [email protected] > Subject: Re: [Full-disclosure] Publicly Disclosing A Vulnerability > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Notify the vendor, wait 30 days and disclose it under a false > name from some arb e-mail addy. That way your customer never > has to know it's you who disclosed it. You won't get the > credit for discovering it, but does that really matter? > > xyberpix > > On 5 Oct 2005, at 15:52, Josh Perrymon wrote: > > > Ok, > > > > > > > > I believe in working with the Vendor to inform then of vulnerable > > software upon finding it in the wild so on... > > > > But I have a question... > > > > > > > > While performing a pen-test for a large company I found a directory > > transversal vulnerability in a search program― > > > > I used Achilles and inserted the DT attack in a hidden field and > > posted it to the web server. This returned the win.ini.. > > > > Cool.. > > > > > > > > Well... I called the company up and got the lead engineer on > the phone.. > > He seemed a little pissed. > > > > He told me that they found the hole internally a couple > months ago but > > they don't want it public and they said I should not tell > anyone about > > it because they don't want their customers at risk. > > > > > > > > So I ask the list- what is more beneficial to the customer? Not > > publicly disclosing the risk and hoping that they follow the > > suggestions of the vendor to upgrade? Or waiting 30 days and send > > it out? > > > > > > > > > > > > > > > > Joshua Perrymon > > > > Sr. Security Consultant > > > > Network Armor > > > > A Division of Integrated Computer Solutions > > > > perrymonj( at )networkarmor.com > > > > Cell. 850.345.9186 > > > > Office: 850.205.7501 x1104 > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (Darwin) > > iD8DBQFDQ+rTcRMkOnlkwMERArXnAJ9T04F5Vo7PvuBIz889XpCrj00SnQCeJEb+ > mc8ZKiCdog2PlppQ4xgomBU= > =IPfz > -----END PGP SIGNATURE----- > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
