Vulnerability Development mailing list archives
Re: Decision
From: Mike Caudill <mcaudill () cisco com>
Date: Thu, 5 Jun 2003 22:59:44 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello, I have run into a hard decision - i just dicovered a bug in <someserver> which <some large company> runs and is only accessible to the clients of <the company> - it's an auth server, somewhere tied together with Cisco router w/ SSG and RADIUS authentication. Due to bug, any source file can be read and the <the company> has spent thousands of $ for making the system. Whats the best - report the bug and possible workarounds or let it stay? What i am nervous of is that the <the company> could 'kick' me later for seeing the sources. P.Krumins
Peter, CERT/CC has a checkbox on their vulnerability reporting form to keep the reporter's information confidential from the affected vendors. See their form at http://www.cert.org/reporting/vulnerability_form.txt If you dont feel comfortable going to the affected vendors directly, there is always the option of using a trusted 3rd party like CERT/CC and having them contact the vendors on your behalf. - -Mike- - -- - ---------------------------------------------------------------------------- | || || | Mike Caudill | mcaudill () cisco com | | || || | PSIRT Incident Manager | 919.392.2855 | | |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)| | ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------| | C i s c o S y s t e m s | http://www.cisco.com/go/psirt | - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBPuADjopjyUnrvVJxEQJX7ACg80UaFE2pRCF1gbBRzRKg/cilPeQAoLdP fekIMRYxavhJDJd4WyBlVl6M =tp+w -----END PGP SIGNATURE-----
Current thread:
- Decision Peteris Krumins (Jun 05)
- Re: Decision Zow (Jun 05)
- Re: Decision Daan van de Linde (Jun 05)
- Re: Decision Mike Caudill (Jun 06)