Re: Complicated Disclosure Scenario (Summary)

[Josha Bronson <dmuz () slartibartfast angrypacket com>]

On Wed, Jan 16, 2002 at 07:01:24PM -0800, Josha Bronson said:
> So, what would you do?

Thank you to everyone for all your valuable opinions. I've gotten a lot
of really great feedback on and off the list. 

I do use the RFPolicy as a guideline when disclosing security issues. I
find that the policy outlined in that document is both fair and firm. I
encourage everyone to read it if they have not.

We have decided to work with a private security research group that has
generously offered to help on creating an exploit. I'm confident that
with their assistance we should be able to make a determination as to
wether the issue can result in execution of code.

I've alerted the vendor that research is continuing, and we will keep
them posted on our findings. I've also stated to them that from the date
we send them our final results we will wait for a period of two weeks
until we make our findings public, fix or no fix. Two weeks may seem
like a short time, but the vendor has been aware of this issue since
early January.

Thanks again to all who replied for your input.

Cheers and happy new year,
-- 
Josha Bronson
dmuz () angrypacket com
AngryPacket Security