Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Unresponsive Vendor

From: Matt Burnett <marukka () mac com>
Date: Wed, 19 Nov 2003 13:02:57 -0600
I have a moral question for all of you. I have notified a major software
company in the past about security issues with their software. I did email
them with enough details to replicate the issue. However they never
responded to my email, and a couple years later they fixed the issue and did
not give credit were due. I'm sure other researchers contacted them with a
similar but different way to exploit the flaw, but no one at all is given
credit. Now I have a local d0s for their product and have contacted them
again, this time via phone. After notifying them they gave me a case number
and said a engineer would be in contact with me in approximately a week. I'm
guessing that something similar will happen and this issue wont get fixed
for a while, and once again I wont get credit. I'm just wondering what would
be a fair time frame before releasing a exploit, and what I could/should do
about receiving credit. I have looked at some papers online about when you
should release a exploit but none i've read yet give any guidance on what
you should do if the vendor is dragging their feet.


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: