From: Thrynn (thrynn404@gmail.com)
Date: Wed Oct 31 2007 - 19:36:53 EST
I have always treated this as "belongs to the client". As a amtter of
fact, my contracts say as much.
I'd recommend you give the details of the vulnerability and remedy to
the client and offer to help them through the disclosure process. You
cannot force either them or the vendor to do anything. Put the bullet
in your toolkit for later use and let them do what they will with the
info.
Handled wrongly, and you can be out of future contention for contracts.
Good luck.
On 10/31/07, jfvanmeter@comcast.net <jfvanmeter@comcast.net> wrote:
>
> Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite that my client has installed on thousands of workstation.
>
> I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit.
>
> my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed on. I also don't believe the vendor will go public with it, what would you all do?
>
> Best Regards --John
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT