Re: Unresponsive Vendor

["Pieter-Bas IJdens" <pieter-bas () ijdens com>]

> Having said that, if you haven't heard from the vendor in a month with
even a
> status update...I say screw'em...release the exploit.  If they don't have
the
> common courtesy to let you know, "Hey..we are working on it." then they
are not
> a very good company to begin with and they should be shown that the
security
> community won't stand for it.  After they get nailed a couple times,
hopefully
> they will reconsider their methods.

The security community is there to make the world a better place.

Releasing an exploit for unfixed code because your feelings are, or have
been, hurt is at least counter productive. Personally, I would rather wait a
year for them to fix the code than release an exploit (of all things) for a
problem 'because they pissed me off'.

If I would have found this problem, I would personally not care too much
about the credit either. I would also not abuse my position of power towards
that company that having the exploit gives me. Let them fix it in their
time, but as soon as possible because the community is 'at risk' as long as
the vulnerability exists. Publishing the vulnerability (and especially an
exploit) before there is a fix with at least a vast majority of the users
will only increase that risk to the community and is guaranteed not to be
the best thing to do. Making things worse should not be the hobby of someone
working to improve security.

Expecting the company to keep you posted is kindof naive. They maybe should,
but as you know, this hardly happens in reality. It is better I think to ask
if you want to know than it is to wait for them. If you think it is 'never'
going to be fixed anyway, you can simply tell them that you will give them
eight more weeks or something to fix it, and tell them you will publish
after that regardless. Just before the deadline expires, and if you haven't
heard from them yet, ask again for the status, then draw your own plan based
on the result. Personally I would still not publish by then to be fair, for
above reasons. I'd prefer working with them to get things sorted than
working against them and scrweing all users of that software over in the
process.

Especially for Matt this is an issue sine he wants a job later on with a
company that probably uses that software. Being known as the guy that got
their servers hacked is not a good way to get hired.

Sometimes pride and personal feeling should be set aside a bit for the
greater good, which is what we all are working on isn't it?

Just my $0.02,

  Pieter-Bas




---------------------------------------------------------------------------
----------------------------------------------------------------------------