Full Disclosure mailing list archives

RE: Publicly Disclosing A Vulnerability

From: "Josh Perrymon" <perrymonj () networkarmor com>
Date: Wed, 5 Oct 2005 13:17:42 -0500

Ok,

I have already worked with the Client and Vendor and the vendor is providing a free upgrade to the customer for no 
charge to correct the vulnerable issue. 
My focus is to protect the customer first...   The customer agreed that the vulnerability could be disclosed after they 
upgrade...

So I guess the only part of this I didn't care for was the vendor saying that they did not want me to release this 
information to the public.... I think it's because the client would get the upgrade for free instead of paying for it.

JP

________________________________________
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Josh Perrymon
Sent: Wednesday, October 05, 2005 10:52 AM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Publicly Disclosing A Vulnerability

Ok,

I believe in working with the Vendor to inform then of vulnerable software upon finding it in the wild so on...
But I have a question...

While performing a pen-test for a large company I found a directory transversal vulnerability in a search program-
I used Achilles and inserted the DT attack in a hidden field and posted it to the web server. This returned the 
win.ini..
Cool..

Well... I called the company up and got the lead engineer on the phone.. He seemed a little pissed.
He told me that they found the hole internally a couple months ago but they don't want it public and they said I should 
not tell anyone about it because they don't want their customers at risk.

So I ask the list- what is more beneficial to the customer? Not publicly disclosing the risk and hoping that they 
follow the suggestions of the vendor to upgrade?  Or waiting 30 days and send it out?



Joshua Perrymon
Sr. Security Consultant
Network Armor
A Division of Integrated Computer Solutions
perrymonj( at )networkarmor.com
Cell. 850.345.9186
Office: 850.205.7501 x1104


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Publicly Disclosing A Vulnerability, (continued)
- Re: Publicly Disclosing A Vulnerability phased (Oct 05)
- Re: Publicly Disclosing A Vulnerability Steve Friedl (Oct 05)
  - Re: Publicly Disclosing A Vulnerability Valdis . Kletnieks (Oct 05)
- Re: Publicly Disclosing A Vulnerability Donald J. Ankney (Oct 05)
- Re: Publicly Disclosing A Vulnerability Simon Richter (Oct 05)
- Re: Publicly Disclosing A Vulnerability Martijn Lievaart (Oct 05)
- RE: Publicly Disclosing A Vulnerability Paul Melson (Oct 05)
- RE: Publicly Disclosing A Vulnerability Adriel Desautels (Oct 05)
- RE: Publicly Disclosing A Vulnerability Todd Towles (Oct 05)
- Re: Publicly Disclosing A Vulnerability FX (Oct 05)
- RE: Publicly Disclosing A Vulnerability Josh Perrymon (Oct 05)