________________________________ Subject: RE: [Full-disclosure] Publicly Disclosing A Vulnerability
> So I ask the list- what is more beneficial to the customer? Not publicly disclosing the > risk and hoping that they follow the suggestions of the vendor to upgrade? Or waiting > 30 days and send it out? Your customers need to be your main concern, since they literally own this process. Piss them off by disclosing a vulnerability that they have and cannot fix, and you can bet that it'll be the last time you do business with them. Might wanna check your paperwork, too - you may hold some liability to them if you disclose this vulnerability. Of course, if you have multiple customers that are using the vulnerable product, your life is even more complicated. You may choose to discreetly inform them that a vulnerability has been discovered and that they should consider upgrading. That is an ethical and responsible course of action, but it may violate your other customer's trust. Hence, discretion. Once your customers are taken care of, you can look at responsible disclosure avenues. But I would implore that as long as the vendor commits to releasing a patch or notifying their customers that you don't do something to sabotage their efforts like releasing an exploit or even a detailed advisory before they've had a chance to handle it. Which reminds me, if the currently undisclosed nature of this vulnerability is allowing your customers to consider not acting, then you need to press harder. My experience has taught me that responsible vulnerability disclosure is a thankless job. Customers are confused, vendors are angry, and more often than not, there is no glory for you as someone else will discover and disclose the same vulnerability before you're done handling it the correct way. PaulM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
