Security Basics mailing list archives
Re: Unresponsive Vendor
From: "Pieter-Bas IJdens" <pieter-bas () ijdens com>
Date: Fri, 21 Nov 2003 13:02:28 +0100
Having said that, if you haven't heard from the vendor in a month with
even a
status update...I say screw'em...release the exploit. If they don't have
the
common courtesy to let you know, "Hey..we are working on it." then they
are not
a very good company to begin with and they should be shown that the
security
community won't stand for it. After they get nailed a couple times,
hopefully
they will reconsider their methods.
The security community is there to make the world a better place. Releasing an exploit for unfixed code because your feelings are, or have been, hurt is at least counter productive. Personally, I would rather wait a year for them to fix the code than release an exploit (of all things) for a problem 'because they pissed me off'. If I would have found this problem, I would personally not care too much about the credit either. I would also not abuse my position of power towards that company that having the exploit gives me. Let them fix it in their time, but as soon as possible because the community is 'at risk' as long as the vulnerability exists. Publishing the vulnerability (and especially an exploit) before there is a fix with at least a vast majority of the users will only increase that risk to the community and is guaranteed not to be the best thing to do. Making things worse should not be the hobby of someone working to improve security. Expecting the company to keep you posted is kindof naive. They maybe should, but as you know, this hardly happens in reality. It is better I think to ask if you want to know than it is to wait for them. If you think it is 'never' going to be fixed anyway, you can simply tell them that you will give them eight more weeks or something to fix it, and tell them you will publish after that regardless. Just before the deadline expires, and if you haven't heard from them yet, ask again for the status, then draw your own plan based on the result. Personally I would still not publish by then to be fair, for above reasons. I'd prefer working with them to get things sorted than working against them and scrweing all users of that software over in the process. Especially for Matt this is an issue sine he wants a job later on with a company that probably uses that software. Being known as the guy that got their servers hacked is not a good way to get hired. Sometimes pride and personal feeling should be set aside a bit for the greater good, which is what we all are working on isn't it? Just my $0.02, Pieter-Bas --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Unresponsive Vendor, (continued)
- RE: Unresponsive Vendor Bruce Davis (Nov 20)
- RE: Unresponsive Vendor Tim Donahue (Nov 20)
- Re: Unresponsive Vendor JohnNicholson (Nov 20)
- RE: Unresponsive Vendor mrodrigu (Nov 20)
- Re: Unresponsive Vendor Meritt James (Nov 21)
- RE: Unresponsive Vendor Randy Golly (Nov 20)
- Re: Unresponsive Vendor c_brauckmiller (Nov 20)
- Re: Unresponsive Vendor Matt Burnett (Nov 20)
- Re: Unresponsive Vendor Peter Schawacker (Nov 20)
- Re: Unresponsive Vendor Matt Burnett (Nov 21)
- Re: Unresponsive Vendor Matt Burnett (Nov 20)
- Re: Unresponsive Vendor Pieter-Bas IJdens (Nov 21)
- RE: Unresponsive Vendor Meidinger Chris (Nov 21)
- Re: Unresponsive Vendor mrodrigu (Nov 21)
- Re: Unresponsive Vendor Matt Burnett (Nov 21)