RE: Unresponsive Vendor

["Bruce Davis" <talesian () istop com>]

I'm not sure how many vendors will say that it is standard but amoung the
hacking community that does notify vendors of exploits, I believe that the
RFP policy is considered to be standard and fair. As well as being fairly
straight forward.

http://www.wiretrip.net/rfp/policy.html

-----Original Message-----
From: Matt Burnett [mailto:marukka () mac com]
Sent: November 19, 2003 2:03 PM
To: security-basics () securityfocus com
Subject: Unresponsive Vendor


I have a moral question for all of you. I have notified a major software
company in the past about security issues with their software. I did email
them with enough details to replicate the issue. However they never
responded to my email, and a couple years later they fixed the issue and did
not give credit were due. I'm sure other researchers contacted them with a
similar but different way to exploit the flaw, but no one at all is given
credit. Now I have a local d0s for their product and have contacted them
again, this time via phone. After notifying them they gave me a case number
and said a engineer would be in contact with me in approximately a week. I'm
guessing that something similar will happen and this issue wont get fixed
for a while, and once again I wont get credit. I'm just wondering what would
be a fair time frame before releasing a exploit, and what I could/should do
about receiving credit. I have looked at some papers online about when you
should release a exploit but none i've read yet give any guidance on what
you should do if the vendor is dragging their feet.


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------