Security Basics mailing list archives
RE: Unresponsive Vendor
From: "Bruce Davis" <talesian () istop com>
Date: Thu, 20 Nov 2003 15:35:44 -0500
I'm not sure how many vendors will say that it is standard but amoung the hacking community that does notify vendors of exploits, I believe that the RFP policy is considered to be standard and fair. As well as being fairly straight forward. http://www.wiretrip.net/rfp/policy.html -----Original Message----- From: Matt Burnett [mailto:marukka () mac com] Sent: November 19, 2003 2:03 PM To: security-basics () securityfocus com Subject: Unresponsive Vendor I have a moral question for all of you. I have notified a major software company in the past about security issues with their software. I did email them with enough details to replicate the issue. However they never responded to my email, and a couple years later they fixed the issue and did not give credit were due. I'm sure other researchers contacted them with a similar but different way to exploit the flaw, but no one at all is given credit. Now I have a local d0s for their product and have contacted them again, this time via phone. After notifying them they gave me a case number and said a engineer would be in contact with me in approximately a week. I'm guessing that something similar will happen and this issue wont get fixed for a while, and once again I wont get credit. I'm just wondering what would be a fair time frame before releasing a exploit, and what I could/should do about receiving credit. I have looked at some papers online about when you should release a exploit but none i've read yet give any guidance on what you should do if the vendor is dragging their feet. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Unresponsive Vendor Matt Burnett (Nov 20)
- RE: Unresponsive Vendor Bob Beck (Nov 20)
- Re: Unresponsive Vendor Byron Sonne (Nov 20)
- RE: Unresponsive Vendor Bruce Davis (Nov 20)
- <Possible follow-ups>
- RE: Unresponsive Vendor Tim Donahue (Nov 20)
- Re: Unresponsive Vendor JohnNicholson (Nov 20)
- RE: Unresponsive Vendor mrodrigu (Nov 20)
- Re: Unresponsive Vendor Meritt James (Nov 21)
- RE: Unresponsive Vendor Randy Golly (Nov 20)
- Re: Unresponsive Vendor c_brauckmiller (Nov 20)
- Re: Unresponsive Vendor Matt Burnett (Nov 20)
- Re: Unresponsive Vendor Peter Schawacker (Nov 20)
- Re: Unresponsive Vendor Matt Burnett (Nov 21)
- Re: Unresponsive Vendor Matt Burnett (Nov 20)
- Re: Unresponsive Vendor Pieter-Bas IJdens (Nov 21)