*This is no lie... after a while one (researchers) simply gets tired of bending over backwards
The solution to this problem lies in the hands of the vendors, *not* in the hands of the researchers.
to get the vendor to listen. You get to a point where you simply don't care sometimes...*
vendors are frustrating... they first act like they can't talk to you unless you are
paying for support... then the don't understand what it is you are trying to say...
then they claim that oh thats not a business critical issue we are gonna sit on our
rump for 6 months and then maybe we will fix it.... IF you even make it to that
point...
For examle I am waiting on a certain 3 letter company to get back to me on a local root
exploit... I used their web based email form which claims a 24 hour response time... its
now 5 days later and no response... that failed so I start the usual blind emails to security@
support@ somebodyfirggenhelpme@ and no one responds... so then I call their phone and
go through every friggin option in their PBX system.. still can't find someone to help out...
"... security staff... what do you mean... I have never had someone ask something like that"
me: you know... like I have a security issue with your product... you need to fix it...
"thats interesting... I'll have to see what I can find... we never get calls like this"
me: *sigh*
I have done my due dilligence... here in about 1 day the problem is 100% theirs... I will give
the public the old chomd -s reccomendation and be done with it...
Someone in the .gov get us a vendor responsibility bill or something... -KF
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
