Full Disclosure mailing list archives

Re: Publicly Disclosing A Vulnerability

From: xyberpix <xyberpix () xyberpix com>
Date: Wed, 5 Oct 2005 16:01:39 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Notify the vendor, wait 30 days and disclose it under a false namefrom some arb e-mail addy. That way your customer never has to knowit's you who disclosed it. You won't get the credit for discoveringit, but does that really matter?


xyberpix

On 5 Oct 2005, at 15:52, Josh Perrymon wrote:

Ok,
I believe in working with the Vendor to inform then of vulnerablesoftware upon finding it in the wild so on…
But I have a question…
While performing a pen-test for a large company I found a directorytransversal vulnerability in a search program―
I used Achilles and inserted the DT attack in a hidden field andposted it to the web server. This returned the win.ini..
Cool..
Well… I called the company up and got the lead engineer on thephone.. He seemed a little pissed.
He told me that they found the hole internally a couple months agobut they don’t want it public and they said I should not tellanyone about it because they don’t want their customers at risk.
So I ask the list- what is more beneficial to the customer? Notpublicly disclosing the risk and hoping that they follow thesuggestions of the vendor to upgrade? Or waiting 30 days and sendit out?
Joshua Perrymon

Sr. Security Consultant

Network Armor

A Division of Integrated Computer Solutions

perrymonj( at )networkarmor.com

Cell. 850.345.9186

Office: 850.205.7501 x1104



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDQ+rTcRMkOnlkwMERArXnAJ9T04F5Vo7PvuBIz889XpCrj00SnQCeJEb+
mc8ZKiCdog2PlppQ4xgomBU=
=IPfz
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Publicly Disclosing A Vulnerability Josh Perrymon (Oct 05)
- Re: Publicly Disclosing A Vulnerability xyberpix (Oct 05)
- Re: Publicly Disclosing A Vulnerability c0ntex (Oct 05)
- Re: Publicly Disclosing A Vulnerability phased (Oct 05)
- Re: Publicly Disclosing A Vulnerability Steve Friedl (Oct 05)
  - Re: Publicly Disclosing A Vulnerability Valdis . Kletnieks (Oct 05)
- Re: Publicly Disclosing A Vulnerability Donald J. Ankney (Oct 05)
- Re: Publicly Disclosing A Vulnerability Simon Richter (Oct 05)
- Re: Publicly Disclosing A Vulnerability Martijn Lievaart (Oct 05)
- RE: Publicly Disclosing A Vulnerability Paul Melson (Oct 05)
- RE: Publicly Disclosing A Vulnerability Adriel Desautels (Oct 05)
- <Possible follow-ups>
- RE: Publicly Disclosing A Vulnerability Todd Towles (Oct 05)

(Thread continues...)