RE: Publicly Disclosing A Vulnerability

["Todd Towles" <toddtowles () brookshires com>]

I would say tell the vendor that they need to issue a fix and a statement. Come to a agree with the vendor on a release 
time. It isn't your software and there truly isn't your responible to protect THEIR customers, that is their job. It is 
a serious attack it sees and it shouldn't be open in the public. If it is fixed in the new version then a security 
release by the vender would give security and network admin at companies the ammo needed to buy the new version. Don't 
vendors understand that part..gezz.

Most PHBs need a good reason to upgrade. Security holes are that ammo...

If they fail to protect THEIR customers, then you may have to do what X says...to force their hand. Sad that it even 
has to be a option however.

> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk 
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
> Of xyberpix
> Sent: Wednesday, October 05, 2005 10:02 AM
> To: Josh Perrymon
> Cc: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] Publicly Disclosing A Vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Notify the vendor, wait 30 days and disclose it under a false 
> name from some arb e-mail addy. That way your customer never 
> has to know it's you who disclosed it. You won't get the 
> credit for discovering it, but does that really matter?
>
> xyberpix
>
> On 5 Oct 2005, at 15:52, Josh Perrymon wrote:
>
> > Ok,
> >
> >
> >
> > I believe in working with the Vendor to inform then of vulnerable 
> > software upon finding it in the wild so on...
> >
> > But I have a question...
> >
> >
> >
> > While performing a pen-test for a large company I found a directory 
> > transversal vulnerability in a search program―
> >
> > I used Achilles and inserted the DT attack in a hidden field and 
> > posted it to the web server. This returned the win.ini..
> >
> > Cool..
> >
> >
> >
> > Well... I called the company up and got the lead engineer on 
> the phone.. 
> > He seemed a little pissed.
> >
> > He told me that they found the hole internally a couple 
> months ago but 
> > they don't want it public and they said I should not tell 
> anyone about 
> > it because they don't want their customers at risk.
> >
> >
> >
> > So I ask the list- what is more beneficial to the customer? Not  
> > publicly disclosing the risk and hoping that they follow the  
> > suggestions of the vendor to upgrade?  Or waiting 30 days and send  
> > it out?
> >
> >
> >
> >
> >
> >
> >
> > Joshua Perrymon
> >
> > Sr. Security Consultant
> >
> > Network Armor
> >
> > A Division of Integrated Computer Solutions
> >
> > perrymonj( at )networkarmor.com
> >
> > Cell. 850.345.9186
> >
> > Office: 850.205.7501 x1104
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFDQ+rTcRMkOnlkwMERArXnAJ9T04F5Vo7PvuBIz889XpCrj00SnQCeJEb+
> mc8ZKiCdog2PlppQ4xgomBU=
> =IPfz
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/