Vulnerability Development mailing list archives
Re: Complicated Disclosure Scenario
From: Bill Weiss <houdini () nmt edu>
Date: Thu, 17 Jan 2002 08:57:21 -0700
Josha Bronson(dmuz () slartibartfast angrypacket com)@Wed, Jan 16, 2002 at 07:01:24PM -0800:
Greetings fellow security folk, I would like to gather some opinions on a not so theoretical disclosure scenario. Please for the sake of focused discussion keep your replies related to the specific scenario that I am proposing and not alternate opinions on disclosure in general. At this point I contacted the vendor to alert them to the existence of this problem. After exchanging multiple emails, in which I tediously outlined the DoS condition and *potential* exploit situation I was told that they would wait until I determined if code could be exploited before they began creating an advisory or even working on a patch.
Release an advisory. It's not your job to research the vulnerability. The DoS works, and the exploit may work. I'd suggest releasing it as such, and tracking down someone who runs the software and (with their permission!) run the exploit. If it works, Re: it to the advisory. Alternately, release it in here, so people can test it. You'll get proper credit, and find out if the exploit works. If not, there's still a DoS in it. Though it's good of you to worry about the customers, it's the company's job to keep their users safe of exploits. The response you got indicates that this may not be their highest priority. Though I could hazzard some guesses as to the company (*ahem*), I'll just leave it at "I'm glad I don't use their software" (I hope). -- Bill Weiss
Current thread:
- Complicated Disclosure Scenario Josha Bronson (Jan 17)
- Re: Complicated Disclosure Scenario terry white (Jan 17)
- RE: Complicated Disclosure Scenario Nathan Anderson (Jan 17)
- Re: Complicated Disclosure Scenario KF (Jan 17)
- Re: Complicated Disclosure Scenario Giurgiu Sergiu (Jan 17)
- Re: Complicated Disclosure Scenario Ryan Permeh (Jan 17)
- Re: Complicated Disclosure Scenario David Carroll (Jan 17)
- Re: Complicated Disclosure Scenario Nick Lange (Jan 17)
- Re: Complicated Disclosure Scenario Bill Weiss (Jan 17)
- Re: Complicated Disclosure Scenario Florian Weimer (Jan 17)
- Re: Complicated Disclosure Scenario Nick Lange (Jan 17)
- Re: Complicated Disclosure Scenario Mariusz Mazur (Jan 17)
- Re: Complicated Disclosure Scenario Dan (Jan 17)
- RE: Complicated Disclosure Scenario Dom De Vitto (Jan 17)
- RE: Complicated Disclosure Scenario Jose Nazario (Jan 17)
- Re: Complicated Disclosure Scenario Jeff Nathan (Jan 17)
- RE: Complicated Disclosure Scenario Jose Nazario (Jan 17)
- Re: Complicated Disclosure Scenario (Summary) Josha Bronson (Jan 19)
- <Possible follow-ups>
- RE: Complicated Disclosure Scenario NP-GEE-CLOUGH AARON (Jan 17)
- FW: Complicated Disclosure Scenario Martin . Farrelly (Jan 17)
(Thread continues...)