Vulnerability Development mailing list archives
RE: Vendor Changelogs /Notifications
From: "Craig, Scott" <SCraig () kmart com>
Date: Fri, 6 Sep 2002 11:59:51 -0400
IMHO, I think you should take over the role of the vendor by posting to this list. 1) If you discovered the vulnerability and can exploit it, verify that their patch does indeed fix it. 2) Post to the mailing list(s) and mimic a vendor bulletin including description, impact, severity, and note the fix/workaround. Also mention you have a working exploit which will be published in a couple days. 3) Wait a couple days, post the detailed vulnerability information. You may want to post to vuln-dev first, and get the results from other people to see if there are other circumstances that affect whether or not someone is vulnerable. Maybe someone else could have a twist on it as well.
-----Original Message----- From: quentyn () fotango com [mailto:quentyn () fotango com] Sent: Thursday, September 05, 2002 2:46 PM To: vuln Subject: Vendor Changelogs /Notifications This is really a generic query Is it appropriate to send notifications to public lists if you spot that a vendor has fixed a serious security hole ( mentioned only in the change log) but hasn't sent any notification and doesn't have any notification on their site ? Other than using the product ( and reading change logs) I have had nothing to do with this issue. My concern is that people may continue to run the affected version with out noticing that there is a fix. Certainly, certain vendors appear to be quite good about posting to bugtraq etc. al to inform of problems and fixes in their products, others appear not so pro-active about informing people. Q -- ##################### Quentyn Taylor Sysadmin - Fotango ##################### Never anger a dragon, for you are crunchy and good with ketchup.
Current thread:
- Vendor Changelogs /Notifications quentyn (Sep 05)
- Re: Vendor Changelogs /Notifications Blue Boar (Sep 05)
- <Possible follow-ups>
- RE: Vendor Changelogs /Notifications Craig, Scott (Sep 06)