WebApp Sec mailing list archives

RE: FW: Publication of Vulnerabilities in Vendor Code

From: "Sasha Romanosky" <sasha_romanosky () yahoo com>
Date: Sat, 11 Mar 2006 16:46:33 -0500


Allen, 

As some one else mentioned, CERT/CC is probably your best bet. In fact,
there was a study done (no, really :) that revealed that, in general,
vendors are much more likely to respond  when notified by CERT/CC. 

I checked with a colleague regarding the procedures and he responded as
follows:

You can tell him to use the front door - <cert () cert org>.
We even have a high-tech vulnerability reporting form:

http://www.cert.org/reporting/vulnerability_form.txt

and suggest using PGP:

http://www.cert.org/contact_cert/encryptmail.html>

Most of this is here: <http://www.cert.org/contact_cert/>


He also provided a tracking number that you can include in the subject:
VU#242968.  


Cheers,
Sasha

On 3/10/06, Brokken, Allen P. <BrokkenA () missouri edu> wrote:

Are there any kind of industry standard, or recommended

guidelines for

"going public" with holes you've found in vendor code that have not 
yet been disclosed by the vendor?

I recently identified a significant hole in a commercial

package, and

my research has shown that it has not been published in any

format to

date. I have contacted the vendor, and gave them prototype exploit 
code that utilized the vulnerability. They have a significant user 
base, and at this point they have not published a patch, a 
vulnerability report, or set of mitigation strategies. At

this point

it's been 4 weeks since my initial identification. I've received an 
initial acknowledgement email, followed by an email saying

they were

studying the problem. I have yet to get any kind of schedule or 
commitment to fix the issue.

I would appreciate insights into how to handle this issue.


Allen Brokken
Information Security and Account Management - IAT Services - 
University of Missouri -brokkena () missouri edu- (573)884-8708



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
--------------------------------------------------------------------------

Current thread:

FW: Publication of Vulnerabilities in Vendor Code Brokken, Allen P. (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)
  - RE: FW: Publication of Vulnerabilities in Vendor Code Sasha Romanosky (Mar 11)
- Re: FW: Publication of Vulnerabilities in Vendor Code Kyle Maxwell (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code leighm (Mar 10)