WebApp Sec mailing list archives
RE: FW: Publication of Vulnerabilities in Vendor Code
From: "Sasha Romanosky" <sasha_romanosky () yahoo com>
Date: Sat, 11 Mar 2006 16:46:33 -0500
Allen, As some one else mentioned, CERT/CC is probably your best bet. In fact, there was a study done (no, really :) that revealed that, in general, vendors are much more likely to respond when notified by CERT/CC. I checked with a colleague regarding the procedures and he responded as follows:
You can tell him to use the front door - <cert () cert org>. We even have a high-tech vulnerability reporting form:
http://www.cert.org/reporting/vulnerability_form.txt
and suggest using PGP:
http://www.cert.org/contact_cert/encryptmail.html>
Most of this is here: <http://www.cert.org/contact_cert/>
He also provided a tracking number that you can include in the subject: VU#242968. Cheers, Sasha
On 3/10/06, Brokken, Allen P. <BrokkenA () missouri edu> wrote:Are there any kind of industry standard, or recommendedguidelines for"going public" with holes you've found in vendor code that have not yet been disclosed by the vendor? I recently identified a significant hole in a commercialpackage, andmy research has shown that it has not been published in anyformat todate. I have contacted the vendor, and gave them prototype exploit code that utilized the vulnerability. They have a significant user base, and at this point they have not published a patch, a vulnerability report, or set of mitigation strategies. Atthis pointit's been 4 weeks since my initial identification. I've received an initial acknowledgement email, followed by an email sayingthey werestudying the problem. I have yet to get any kind of schedule or commitment to fix the issue. I would appreciate insights into how to handle this issue. Allen Brokken Information Security and Account Management - IAT Services - University of Missouri -brokkena () missouri edu- (573)884-8708
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
Current thread:
- FW: Publication of Vulnerabilities in Vendor Code Brokken, Allen P. (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)
- RE: FW: Publication of Vulnerabilities in Vendor Code Sasha Romanosky (Mar 11)
- Re: FW: Publication of Vulnerabilities in Vendor Code Kyle Maxwell (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code leighm (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)