WebApp Sec mailing list archives
Re: FW: Publication of Vulnerabilities in Vendor Code
From: "Kyle Maxwell" <krmaxwell () gmail com>
Date: Fri, 10 Mar 2006 18:32:26 -0600
On 3/10/06, Brokken, Allen P. <BrokkenA () missouri edu> wrote:
Are there any kind of industry standard, or recommended guidelines for "going public" with holes you've found in vendor code that have not yet been disclosed by the vendor?
There are a lot of answers to this questions as you'll see just by Googling for "vulnerability disclosure policy". That said, many of us follow rain forest puppy's old policy as outlined at http://www.wiretrip.net/rfp/policy.html, which essentially requires the vendor to stay in communication with the researcher and make a good faith effort to fix the problem. Were I in your shoes, I would contact them, inform them you are concerned about the lack of communication, and state that you will disclose it publicly if you hear nothing from them within 5 business days. If they do in fact respond, you should outline a communication schedule and a hard date by which they must fix the problem and make the fix available; help them to understand that their customers are vulnerable *today* and they should be fixing the problem with all due speed and care. -- Kyle Maxwell http://caffeinatedsecurity.com [krmaxwell () gmail com] ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
Current thread:
- FW: Publication of Vulnerabilities in Vendor Code Brokken, Allen P. (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)
- RE: FW: Publication of Vulnerabilities in Vendor Code Sasha Romanosky (Mar 11)
- Re: FW: Publication of Vulnerabilities in Vendor Code Kyle Maxwell (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code leighm (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)