Re: Decision

[Daan van de Linde <daan () xs4all nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

imho you should alert the company, I think they rather
have someone report the bug and have a faster response
to it then having to find out after a huge (public) exposure.
If they find traces that lead to you in the latter, you could
be 'kicked' severly.

If you still are worried about being kicked, you could contact
them anonymously.

In the best case, you'll get credit about reporting the bug.

Daan van de Linde
*nix system admin

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (FreeBSD)

mQGiBD4haTgRBACJBq2GZjEe5xL8joJgJPvBECCg/vT9dzLrzbgvbqf2n/OqH3pU
wd5nyHlOxg0cyiOuSjzlrR7JqA/p7yEbHamHWpUHl+pAjbBZn56IftLjYggV/HE+
yjFaT6SiC6DTm5gE8WQjoJBKKJQvYAqSotQWNe53vxpzNffOqqmNeHs46wCgh9xN
Iq6xH0NA7QJIfNYzpzGQtpMD/3CE5Aa29vXbkv6iJYecveCDV0r14M4dgmXGx0qa
O3uGTWOEpSJnfVG00g+siGNt8M4lJQGvUKFZabdYd/1z6Kpel8lU1yC2UCGQl2tr
Y/0a8oHEt44o252ItUITI++5tmw2FcIyeKNsbcU8y6f3Y58sj+RD2GgYhz+T2RrW
jJyBA/9zDmR+OJ5scnfFtpe1YVFhW38boCyo7ljQ29gJV72jTVW4BVYWPiSjKNHX
2ygN2mJnNk/pUsMa06rtJfCtIe38RrjQueA4tHCVx++TuvBmuoKwc034vLQTxrJc
9dRQu2Lk+F0lYrGC38qcxVbKfR9gXZqpoVlqQUDC8OqK2L+inrQiRGFhbiB2YW4g
ZGUgTGluZGUgPGRhYW5AeHM0YWxsLm5sPohfBBMRAgAfBQI+IWk4BQkB0WGABAsH
AwIDFQIDAxYCAQIeAQIXgAAKCRAw40x3vSxDiEfSAJ9K/V9u2FD+k0YOwMOlEJFR
kv6mvwCePckXgGoBkNEueu0aBc2isyvyJPK5BA0EPiFq5RAQAJ0CCK4MtCij+9kv
A8D7FiTc0u5QRkyEF5Kl+MWMHXJ36plMQWUYkBpKVCozF8YcYDJZq3LooDlRnmiq
VqCZtar8eGaYJ6U4jNY9NPkJHVcPfDoheCns0v+YGmMym5ghjjQZSnDf+i7pRn6K
dlo8i+NpRssi7DoNRvL+DSoyuZ6TpvGsY//f8W4b8Gk4ImX6MQOwsr2pgnlmqKeC
fhSzdIStITj/uGRZiRJJXm/rruhPPD2aRSD9suo47uCkIou4SJHNBNtoxIzG1iF1
RJ9RkxxesVRGUY5biVhzabHj5llZdZXnJ/khFU2ZLQz5EF1tqz4DoIlYt4UiaKz7
ks2V72zRSn/miq8bmKcdXVCpMdqvAFONLpp8Y5HehkKpfoQbdJzqGK9T2hLdmxDC
DMA+BI69oXsZLqOdmydwE5Nqn7LOgf0hYdf4IitfBpoWK71IJdd6Og0qDy7tsION
sk9oPU/z4rGas+q5Z3oUquCh9JnR52x7DUC8I2OKwhqnOB3v30D7BrR1d8RC7Iiz
IXOWitC+3y6wREiWW4MwbpXbQ5cVFptyBfUKaTZpciYKBhWtgzdk803BHgz79fUh
RWmYzB+/NadOWTXBBAbxagWCPS5PrzPpiwos3RJcmuvG8x5gv8KJ4NE5BNaoUh36
irCegujuCRBhpRdX70PDMHQAfVPXAAMFEACMywcQ4IgW/ioussh9BMm9dMNVGPA4
cHyU1cWDViDUUr31nBZ+FfFRg1OHZUueM25o/K66pkmvfWo0mhhK3MFKEvO0JrMk
l9t/9HqO9NEX6mRpYhi1ZHe9rTi0mzrkSZyOVZSnQzumKFcSvhHHT45M+TOvt7eE
KR1O+R007PIJa1sVKzEjqANlWJTSgc+gN3VKCNZl/Xp7Wous53Z0M6VKUqnMzYea
MgeB/p0BgKPRAOWq/BBQFZHq2xPqJRJiAdXpy89RLdyLnhghsJkA73pWstseBZnA
GP2on44uFkGT4nj2CvtlWEbMcEBMwL2NvtMo+9u1UGIq+j9QcGdg2VDZgOm7tK8k
6FOyJzBSn9X2yQT7tHWhEDP4mHc0BYJ42cCGIBh7/XmASielK3uQP5w4UJpIYiCh
AjHeg93VZgg8rlNcRTEIkksgrOZ3M80K7GWrMWpfjLeSS3fxMvWeund9+L4Ngq6J
UolLvNA4HfQDj1MMw61g9fnFQPYT/P5inD16Bk0OEAtrpEiUubzEbHgZkIawWiAV
+UUB5v16DfaXQAiPyyQ0USjnOfNP6Yqf+ofzvaafF1m/icmzxfmdPkwL8VIcpQdp
1O4yZCO14s7RVU1Jovf0omO9r6CIZJGBBFAs4wKodeaVj13Kc39wERqHOkcETSb8
4JejNgf3u75YAohMBBgRAgAMBQI+IWrlBQkB0WGAAAoJEDDjTHe9LEOIQY4An19Q
3sVkTTp/QFk0wj+9qeCfkpAVAKCA2nkRRFDVgytNfrxAEnY0v7q2JQ==
=y3KW
- -----END PGP PUBLIC KEY BLOCK-----

On Thu, 5 Jun 2003, Peteris Krumins wrote:

> Date: Thu, 5 Jun 2003 03:50:58 +0300
> From: Peteris Krumins <newsgroups () lf lv>
> To: vuln-dev () securityfocus com
> Subject: Decision
> Resent-Date: Thu, 5 Jun 2003 03:42:33 +0300
> Resent-From: Peteris Krumins <newsgroups () lf lv>
> Resent-cc: recipient list not shown: ;
>
> Hello,
>
>  I have run into a hard decision - i just dicovered a bug in
>  <someserver> which <some large company> runs and is only
>  accessible to the clients of <the company> - it's an auth
>  server, somewhere tied together with Cisco router w/ SSG and
>  RADIUS authentication.
>
>  Due to bug, any source file can be read and the <the company> has spent
>  thousands of $ for making the system.
>
>  Whats the best - report the bug and possible workarounds or let it
>  stay?
>  What i am nervous of is that the <the company> could 'kick' me later
>  for seeing the sources.
>
>
> P.Krumins
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE+349XMONMd70sQ4gRAq3YAJ9TWu0WRlE+DMvCfD6Z6JZU3uMnUQCbB5as
PKMVCAzbjqOK8ZWmoUryJCM=
=fBQ4
-----END PGP SIGNATURE-----