Full Disclosure mailing list archives
Re: Vendor casual towards vulnerability found in product
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 26 May 2004 07:02:35 -0700 (PDT)
Steven, One bit of advice...to quote Morpheus, "welcome to the desert of the real."
1. Would an exploit like this be said to be severe?
Perhaps. What is the real risk of destroying configuration files, if backups are being made?
2. Is the vendor right in their approach to this issue?
They seem to think so.
3. How do I make public the vulnerability? (Vendor has given permission for the same)
Uhm..."mailto:full-disclosure () lists netsys com"??? (did I miss something obvious in your question?)
4. Ok, I'll rather ask... *should* I make public details of this vulnerability? (Since I know of sites using this app server, and they may be taken down if the exploit goes out)
Well, since you know of the sites, maybe you could start by going to those folks and explaining the issue to them...what happens, what's the effect, and how to protect against. If the vendor isn't dealing w/ it in (in your opinion) a timely manner, or isn't dealing w/ it in the way you think they should, then releasing it to the public (since, as you say, they've given their permission) might be a way to go. Or maybe first releasing it to the folks using the product, and telling them that on such-and-such a date you're going to release it to the general public...that might be another option. One trap you have to avoid falling into is coming across sounding like a nut. If you decide to publish this vulnerability to the general public, understand that putting things like "shout outs to my peeps" and "f*ck you's" in the posting will very likely reduce your overall credibility. Also, think carefully about this situation. Are you angry (you did type "grrrr" at one point) b/c the vendor isn't responding in the manner that *you* think they should? After all, according to your own post, they've been aware of the vulnerability for a while, and haven't dealt with it to your satisfaction...which, unless you've been under a rock for the past 5 yrs, is nothing new. Maybe the vendor knows about it, but hasn't taken what *you* would consider to be adequate action b/c they haven't received any (or that many) reports from customers about this situation. When you're dealing w/ a company like the one you're talking about, what they focus on at any given time is driven by economics. You don't want to come across as someone who's upset b/c you found your first vulnerability and you don't think the vendor is taking it as seriously as you think they should. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vendor casual towards vulnerability found in product stevenr (May 26)
- Re: Vendor casual towards vulnerability found in product Gadi Evron (May 26)
- Re: Vendor casual towards vulnerability found in product Harlan Carvey (May 26)
- Re: Vendor casual towards vulnerability found in product morning_wood (May 26)
- Re: Vendor casual towards vulnerability found in product George Capehart (May 26)
- RE: Vendor casual towards vulnerability found in product Aditya, ALD [Aditya Lalit Deshmukh] (May 26)