Full Disclosure mailing list archives

Re: Vendor casual towards vulnerability found in product

From: Gadi Evron <ge () egotistical reprehensible net>
Date: Wed, 26 May 2004 17:29:56 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| I have the following queries
|
| 1. Would an exploit like this be said to be severe?

Yes.

| 2. Is the vendor right in their approach to this issue?

No. They are irresponsible and using their software would be a mistake.

| 3. How do I make public the vulnerability? (Vendor has given
permission for
| the same)

Well, I'd suggest timing it with them for their next release. If that
release is farther away than say.. whatever time period over 2 months..
threaten to publish it.

You could always contact securiteam.com for their assistance in
contacting the vendor, and verifying that you did prior to releasing it.
They provide such services.

Aside to using SecuriTeam's help (which I strongly recommend), try
reading http://www.oisafety.org/.

| 4. Ok, I'll rather ask... *should* I make public details of this
| vulnerability? (Since I know of sites using this app server, and they
may be
| taken down if the exploit goes out)

Sites will go down.

Should you? If you followed all the ethical standards and waited an
acceptable period of time.. you *could* and no one would look badly at
you.. BUT:

You could always sit on it if you'd like to feel more responsible with
yourself, I think you were very responsible, ALREADY) and once released
you can release more data on the issue.

| Your feedback would help.

The final decision should be yours. Take into account anything people
tell you, but make your own decision.

Don't listen to people who tell you that you are irresponsible, if you
first followed all the "rules". It is irresponsible to let such a
vulnerability exist without a patch.

Also, be responsible and DO follow the rules.

Good luck,

        Gadi Evron.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iD8DBQFAtLfzqH6NtwbH1FARAgDZAJ9w+42sv0ZqhOxqVahyP9SoHB472gCfbWmN
Za0QEEF9dH+o6gSf7xUeKFI=
=Sd/0
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Vendor casual towards vulnerability found in product stevenr (May 26)
- Re: Vendor casual towards vulnerability found in product Gadi Evron (May 26)
- Re: Vendor casual towards vulnerability found in product Harlan Carvey (May 26)
- Re: Vendor casual towards vulnerability found in product morning_wood (May 26)
  - Re: Vendor casual towards vulnerability found in product George Capehart (May 26)
- RE: Vendor casual towards vulnerability found in product Aditya, ALD [Aditya Lalit Deshmukh] (May 26)