Security Basics mailing list archives
RE: Unresponsive Vendor
From: "Randy Golly" <rcgolly () vermeertexas com>
Date: Thu, 20 Nov 2003 14:39:06 -0600
Why do you need to be recognized or be credited for your findings? I think that the fact that you found the exploit and pointed it out to the vendor has your moral responsibility covered. Be careful in taking the step of "announcing to the world" your exploit findings. There was a recent case of a security specialist jailed for disclosing a website security hole to users. It is a unique interpretation of the Computer Fraud and Abuse Act, where a California man was imprisoned for warning users of a breach in their web based email. It was said that he "impaired the integrity" of the network and reputation of the provider. See the article at http://www.securityfocus.com/columnists/179 Randy Golly IT Director Vermeer Equipment of Texas, Inc. -----Original Message----- From: Matt Burnett [mailto:marukka () mac com] Sent: Wednesday, November 19, 2003 1:03 PM To: security-basics () securityfocus com Subject: Unresponsive Vendor I have a moral question for all of you. I have notified a major software company in the past about security issues with their software. I did email them with enough details to replicate the issue. However they never responded to my email, and a couple years later they fixed the issue and did not give credit were due. I'm sure other researchers contacted them with a similar but different way to exploit the flaw, but no one at all is given credit. Now I have a local d0s for their product and have contacted them again, this time via phone. After notifying them they gave me a case number and said a engineer would be in contact with me in approximately a week. I'm guessing that something similar will happen and this issue wont get fixed for a while, and once again I wont get credit. I'm just wondering what would be a fair time frame before releasing a exploit, and what I could/should do about receiving credit. I have looked at some papers online about when you should release a exploit but none i've read yet give any guidance on what you should do if the vendor is dragging their feet. ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Unresponsive Vendor Matt Burnett (Nov 20)
- RE: Unresponsive Vendor Bob Beck (Nov 20)
- Re: Unresponsive Vendor Byron Sonne (Nov 20)
- RE: Unresponsive Vendor Bruce Davis (Nov 20)
- <Possible follow-ups>
- RE: Unresponsive Vendor Tim Donahue (Nov 20)
- Re: Unresponsive Vendor JohnNicholson (Nov 20)
- RE: Unresponsive Vendor mrodrigu (Nov 20)
- Re: Unresponsive Vendor Meritt James (Nov 21)
- RE: Unresponsive Vendor Randy Golly (Nov 20)
- Re: Unresponsive Vendor c_brauckmiller (Nov 20)
- Re: Unresponsive Vendor Matt Burnett (Nov 20)
- Re: Unresponsive Vendor Peter Schawacker (Nov 20)
- Re: Unresponsive Vendor Matt Burnett (Nov 21)
- Re: Unresponsive Vendor Matt Burnett (Nov 20)
- Re: Unresponsive Vendor Pieter-Bas IJdens (Nov 21)
- RE: Unresponsive Vendor Meidinger Chris (Nov 21)
- Re: Unresponsive Vendor mrodrigu (Nov 21)
- Re: Unresponsive Vendor Matt Burnett (Nov 21)