Penetration Testing mailing list archives
Re: Full Disclosure of Security Vulnerabilities
From: jfvanmeter () comcast net
Date: Thu, 01 Nov 2007 10:59:10 +0000
I want to thank every one for there comments, I'm going to allow my client to deal with the security issue and wither to make it public. Funny that sounds like a cop out, but I've been paid so they own the report. The one thought I keep thinking about is all of the other systems that could be running this software and be vulnerabily to the information disclosure and not know about it. You know it would be my karma that some store would have this software load on the same computer that has my personnel information stored on it. Take Care and Have Fun --John -------------- Original message ---------------------- From: Thrynn <thrynn404 () gmail com>
I have always treated this as "belongs to the client". As a amtter of fact, my contracts say as much. I'd recommend you give the details of the vulnerability and remedy to the client and offer to help them through the disclosure process. You cannot force either them or the vendor to do anything. Put the bullet in your toolkit for later use and let them do what they will with the info. Handled wrongly, and you can be out of future contention for contracts. Good luck. On 10/31/07, jfvanmeter () comcast net <jfvanmeter () comcast net> wrote:Hello Everyone, I would llike to get your thoughts on Full Disclosure ofSecurity Vulnerabilities . About 3 weeks ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite that my client has installed on thousands of workstation.I send screen shots and a packet capture to the vendor and they were able toto recreate the exploit.my cleint doesn't want to go public with it because of the thousands ofworkstations and servers that its installed on. I also don't believe the vendor will go public with it, what would you all do?Best Regards --John ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Full Disclosure of Security Vulnerabilities Mike Hale (Nov 01)
- <Possible follow-ups>
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Junaid (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Don Miesle (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Patrick J Kobly (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities mlevenstein (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- RE: Full Disclosure of Security Vulnerabilities Security Department, anjiTech Data Solutions LLC (Nov 06)