Re: Vendor casual towards vulnerability found in product

[Harlan Carvey <keydet89 () yahoo com>]

Steven,

One bit of advice...to quote Morpheus, "welcome to the
desert of the real."
 
> 1. Would an exploit like this be said to be severe? 

Perhaps.  What is the real risk of destroying
configuration files, if backups are being made?
 
> 2. Is the vendor right in their approach to this
> issue?

They seem to think so.  

> 3. How do I make public the vulnerability? (Vendor
> has given permission for the same) 

Uhm..."mailto:full-disclosure () lists netsys com"??? 
(did I miss something obvious in your question?)

> 4. Ok, I'll rather ask... *should* I make public
> details of this
> vulnerability? (Since I know of sites using this app
> server, and they may be
> taken down if the exploit goes out)

Well, since you know of the sites, maybe you could
start by going to those folks and explaining the issue
to them...what happens, what's the effect, and how to
protect against.  If the vendor isn't dealing w/ it in
(in your opinion) a timely manner, or isn't dealing w/
it in the way you think they should, then releasing it
to the public (since, as you say, they've given their
permission) might be a way to go.  Or maybe first
releasing it to the folks using the product, and
telling them that on such-and-such a date you're going
to release it to the general public...that might be
another option.

One trap you have to avoid falling into is coming
across sounding like a nut.  If you decide to publish
this vulnerability to the general public, understand
that putting things like "shout outs to my peeps" and
"f*ck you's" in the posting will very likely reduce
your overall credibility.

Also, think carefully about this situation.  Are you
angry (you did type "grrrr" at one point) b/c the
vendor isn't responding in the manner that *you* think
they should?  After all, according to your own post,
they've been aware of the vulnerability for a while,
and haven't dealt with it to your
satisfaction...which, unless you've been under a rock
for the past 5 yrs, is nothing new.  Maybe the vendor
knows about it, but hasn't taken what *you* would
consider to be adequate action b/c they haven't
received any (or that many) reports from customers
about this situation.  When you're dealing w/ a
company like the one you're talking about, what they
focus on at any given time is driven by economics.

You don't want to come across as someone who's upset
b/c you found your first vulnerability and you don't
think the vendor is taking it as seriously as you
think they should.  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html