Amen On Tue, 2003-07-01 at 07:37, KF wrote: > > > > > >The solution to this problem lies in the hands of the vendors, *not* in the hands > >of the researchers. > > > *This is no lie... after a while one (researchers) simply gets tired of > bending over backwards > to get the vendor to listen. You get to a point where you simply don't > care sometimes...* > vendors are frustrating... they first act like they can't talk to you > unless you are > paying for support... then the don't understand what it is you are > trying to say... > then they claim that oh thats not a business critical issue we are gonna > sit on our > rump for 6 months and then maybe we will fix it.... IF you even make it > to that > point... > > For examle I am waiting on a certain 3 letter company to get back to me > on a local root > exploit... I used their web based email form which claims a 24 hour > response time... its > now 5 days later and no response... that failed so I start the usual > blind emails to security@ > support@ somebodyfirggenhelpme@ and no one responds... so then I call > their phone and > go through every friggin option in their PBX system.. still can't find > someone to help out... > > "... security staff... what do you mean... I have never had someone ask > something like that" > me: you know... like I have a security issue with your product... you > need to fix it... > "thats interesting... I'll have to see what I can find... we never get > calls like this" > me: *sigh* > > I have done my due dilligence... here in about 1 day the problem is 100% > theirs... I will give > the public the old chomd -s reccomendation and be done with it... > > Someone in the .gov get us a vendor responsibility bill or something... > -KF > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
signature.asc
Description: This is a digitally signed message part
