Vulnerability Development mailing list archives

RE: Complicated Disclosure Scenario

From: "Nathan Anderson" <nathan () andersonsplace net>
Date: Thu, 17 Jan 2002 09:08:46 -0800

Josha,

I encouraged the vendor to begin their own investigation. They ignored

this, and again stated that they would await my results.<<

        1. If you feel confident in your ability to exploit it then my opinion is
that you offer to do the investigation at an hourly fee.  (Make sure you get
written documentation to any agreement with said vendor)  Your time is
valuable and _they_ are the responsible party for tracking it down and
fixing it -- not you.  So if they want you to track it down, they should pay
you.

        Otherwise:

        You plainly inform them that you will be releasing the advisory in two
weeks or one month and give them the date of release.

Nathan.

Current thread:

Complicated Disclosure Scenario Josha Bronson (Jan 17)
- Re: Complicated Disclosure Scenario terry white (Jan 17)
- RE: Complicated Disclosure Scenario Nathan Anderson (Jan 17)
- Re: Complicated Disclosure Scenario KF (Jan 17)
- Re: Complicated Disclosure Scenario Giurgiu Sergiu (Jan 17)
- Re: Complicated Disclosure Scenario Ryan Permeh (Jan 17)
- Re: Complicated Disclosure Scenario David Carroll (Jan 17)
- Re: Complicated Disclosure Scenario Nick Lange (Jan 17)
- Re: Complicated Disclosure Scenario Bill Weiss (Jan 17)
- Re: Complicated Disclosure Scenario Florian Weimer (Jan 17)
  - Re: Complicated Disclosure Scenario Nick Lange (Jan 17)
- Re: Complicated Disclosure Scenario Mariusz Mazur (Jan 17)
- Re: Complicated Disclosure Scenario Dan (Jan 17)

(Thread continues...)