Re: Decision

[Mike Caudill <mcaudill () cisco com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Hello,
>
>  I have run into a hard decision - i just dicovered a bug in
>  <someserver> which <some large company> runs and is only
>  accessible to the clients of <the company> - it's an auth
>  server, somewhere tied together with Cisco router w/ SSG and
>  RADIUS authentication.
>
>  Due to bug, any source file can be read and the <the company> has spent
>  thousands of $ for making the system.
>
>  Whats the best - report the bug and possible workarounds or let it
>  stay?
>  What i am nervous of is that the <the company> could 'kick' me later
>  for seeing the sources.
>
> P.Krumins

Peter,

CERT/CC has a checkbox on their vulnerability reporting form to keep the
reporter's information confidential from the affected vendors.  See their
form at

        http://www.cert.org/reporting/vulnerability_form.txt

If you dont feel comfortable going to the affected vendors directly, there
is always the option of using a trusted 3rd party like CERT/CC and having
them contact the vendors on your behalf.

- -Mike-

- -- 
- ----------------------------------------------------------------------------
|      ||        ||       | Mike Caudill              | mcaudill () cisco com |
|      ||        ||       | PSIRT Incident Manager    | 919.392.2855       |
|     ||||      ||||      | DSS PGP: 0xEBBD5271       | 919.522.4931 (cell)|
| ..:||||||:..:||||||:..  | RSA PGP: 0xF482F607       ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt                  |
- ----------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPuADjopjyUnrvVJxEQJX7ACg80UaFE2pRCF1gbBRzRKg/cilPeQAoLdP
fekIMRYxavhJDJd4WyBlVl6M
=tp+w
-----END PGP SIGNATURE-----