RE: Full Disclosure of Security Vulnerabilities

["Debasis Mohanty" <debasis.mohanty.listmails () gmail com>]

> > I also don't believe the vendor will go public with it, what would you
all do? 

personally I beleive it does not matter whether the vendor goes public or
not immediately but what matters whether they come up with the fix with not
much delay and then release a public advisory. 

during my past experiences of freelancing, few of my clients were Fortune
500 companies and I found several issues ranging from medium critical till
extreamly high critical. Later I knew that not all high critical issues were
fixed and in such cases the client takes a call on it. In my own opinion, i
don't think it would have been fair on my part if I would have released the
issues publicly without involving the client's concent. In such cases one
has to make a choice between customer relationship and personal fame. In
addition to it there are other things like NDAs which you may be tied up
with. However, the same won't apply if one is dealing with a vendor product
for which you have paid (E.g. your AV, OS, etc.).

-d


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of jfvanmeter () comcast net
Sent: 31 October 2007 22:30
To: pen-test () securityfocus com
Subject: Full Disclosure of Security Vulnerabilities 


 Hello Everyone, I would llike to get your thoughts on Full Disclosure of
Security Vulnerabilities . About 3 weeks ago during a per-test of a software
suite for a client of myine, I found a directory traversal in a software
suite that my client has installed on thousands of workstation. 

I send screen shots and a packet capture to the vendor and they were able to
to recreate the exploit.

my cleint doesn't want to go public with it because of the thousands of
workstations and servers that its installed on. I also don't believe the
vendor will go public with it, what would you all do? 

Best Regards --John

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------