Penetration Testing mailing list archives
Re: Full Disclosure of Security Vulnerabilities
From: Junaid <junaid () thusa co za>
Date: Thu, 01 Nov 2007 08:38:56 +0200
Hi John, Personally, I do believe the vulnerability should be disclosed soon. However, like you mentioned, there are client systems at risk. Has the vendor created/released a patch for the vulnerability? If so, then ensure your client's systems are fully patched before making the vulnerability public knowledge. If not, then I think the vendor should be notified that the vulnerability will be made public soon, and that they MUST release a patch to fix the issue. Personally, I feel that the main aim of full disclosure... is to ensure that vendors do not become lazy with patch releases and updates. Regards, Junaid jfvanmeter () comcast net wrote:
Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite that my client has installed on thousands of workstation. I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit. my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed on. I also don't believe the vendor will go public with it, what would you all do? Best Regards --John
-- Junaid Loonat (B.Sc CompSci & Information Systems) Software Development Thusa Business Support (Pty) Ltd Website: http://www.thusa.co.za "Without our hardships, what worth are our successes?"
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Full Disclosure of Security Vulnerabilities Mike Hale (Nov 01)
- <Possible follow-ups>
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Junaid (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Don Miesle (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities Patrick J Kobly (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities mlevenstein (Nov 01)
- Re: Full Disclosure of Security Vulnerabilities jfvanmeter (Nov 01)
- RE: Full Disclosure of Security Vulnerabilities Security Department, anjiTech Data Solutions LLC (Nov 06)