Re: Full Disclosure of Security Vulnerabilities

From: Mike Hale (eyeronic.design@gmail.com)
Date: Thu Nov 01 2007 - 01:42:25 EST

• Next message: jfvanmeter@comcast.net: "Re: Full Disclosure of Security Vulnerabilities"
• Previous message: Thrynn: "Re: Full Disclosure of Security Vulnerabilities"
• In reply to: Brian Toovey: "Re: Full Disclosure of Security Vulnerabilities"
• Next in thread: Nikolaj: "Re: Full Disclosure of Security Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

What does your contract with your client state? What kind of NDA did
you sign? Legally, you'd be well advised to consult with an attorney
prior to disclosing anything publicly.

Morally, until a patch is applied to your clients' network, you
shouldn't disclose. You found the vulnerability on your clients'
time, and you should respect their wishes in this case.

On 10/31/07, Brian Toovey <admin@vulntrac.com> wrote:
> Sell it on that auction site :)
>
> --
> Brian Toovey
> admin@vulntrac.com
> http://vulntrac.com
>
>
> On 10/31/07, jfvanmeter@comcast.net <jfvanmeter@comcast.net> wrote:
> >
> > Hello Everyone, I would llike to get your thoughts on Full Disclosure of Security Vulnerabilities . About 3 weeks ago during a per-test of a software suite for a client of myine, I found a directory traversal in a software suite that my client has installed on thousands of workstation.
> >
> > I send screen shots and a packet capture to the vendor and they were able to to recreate the exploit.
> >
> > my cleint doesn't want to go public with it because of the thousands of workstations and servers that its installed on. I also don't believe the vendor will go public with it, what would you all do?
> >
> > Best Regards --John
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
> >
> >
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: jfvanmeter@comcast.net: "Re: Full Disclosure of Security Vulnerabilities"
• Previous message: Thrynn: "Re: Full Disclosure of Security Vulnerabilities"
• In reply to: Brian Toovey: "Re: Full Disclosure of Security Vulnerabilities"
• Next in thread: Nikolaj: "Re: Full Disclosure of Security Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT