Penetration Testing mailing list archives
RE: Full Disclosure of Security Vulnerabilities
From: "Debasis Mohanty" <debasis.mohanty.listmails () gmail com>
Date: Thu, 1 Nov 2007 04:12:30 +0530
I also don't believe the vendor will go public with it, what would you
all do? personally I beleive it does not matter whether the vendor goes public or not immediately but what matters whether they come up with the fix with not much delay and then release a public advisory. during my past experiences of freelancing, few of my clients were Fortune 500 companies and I found several issues ranging from medium critical till extreamly high critical. Later I knew that not all high critical issues were fixed and in such cases the client takes a call on it. In my own opinion, i don't think it would have been fair on my part if I would have released the issues publicly without involving the client's concent. In such cases one has to make a choice between customer relationship and personal fame. In addition to it there are other things like NDAs which you may be tied up with. However, the same won't apply if one is dealing with a vendor product for which you have paid (E.g. your AV, OS, etc.). -d -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jfvanmeter () comcast net Sent: 31 October 2007 22:30 To: pen-test () securityfocus com Subject: Full Disclosure of Security Vulnerabilities Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite that my client has installed on thousands of workstation. I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit. my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed on. I also don't believe the vendor will go public with it, what would you all do? Best Regards --John ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Full Disclosure of Security Vulnerabilities jfvanmeter (Oct 31)
- Re: Full Disclosure of Security Vulnerabilities Nikolaj (Oct 31)
- RE: Full Disclosure of Security Vulnerabilities Debasis Mohanty (Oct 31)
- Re: Full Disclosure of Security Vulnerabilities Joxean Koret (Oct 31)
- Re: Full Disclosure of Security Vulnerabilities Brian Toovey (Oct 31)
- Re: Full Disclosure of Security Vulnerabilities Thrynn (Oct 31)