Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: University of Central Florida Multiple LFI

From: Shawn Merdinger <shawnmer () gmail com>
Date: Sat, 19 Feb 2011 12:40:11 -0500
Hi,

On Sat, Feb 19, 2011 at 12:04, Hack Talk <hacktalkblog () gmail com> wrote:

countless attempt to contact both their infosec team, the "tech rangers",
and their personal web developers with no contact back or patching of these
vulnerabilities I decided to post these up on FD. There are still many,
_many_ more vulnerabilities which I have yet to disclose as I'm still giving
them a chance to patch them.


I'll side-step the discussion of possible ethical and legal ramifications here.

However, I humbly suggest there are ways to escalate ones concerns in
most organizations, especially open ones like public .edus.  For
example, one could, after "no contact back" from a .edus security/site
owners could notify the .edu's general counsel and president's office,
perhaps cc'ing US-CERT and CERT/CC as well.  Having your process,
intentions and outcomes documented in a disclosure policy that you've
provided to all parties from initial communication also might be
something to consider.

Cheers,
--scm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: