Re: Full Disclosure of Security Vulnerabilities

From: jfvanmeter@comcast.net
Date: Thu Nov 01 2007 - 08:40:09 EST

• Next message: mlevenstein@spohncentral.com: "Re: Full Disclosure of Security Vulnerabilities"
• Previous message: Patrick J Kobly: "Re: Full Disclosure of Security Vulnerabilities"
• Maybe in reply to: jfvanmeter@comcast.net: "Full Disclosure of Security Vulnerabilities"
• Next in thread: mlevenstein@spohncentral.com: "Re: Full Disclosure of Security Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank You Don, i was going to do just that file out the report per CERT spec the issue is that 45 days after CERT recives the report CERT makes it publicly available.

Take Care and Have Fun --John

 -------------- Original message ----------------------
From: Don Miesle <donmiesle@mac.com>
> If you really want to make sure that this issue gets resolved, and you
> are not prohibited from reporting this vulnerability (via contract or
> disclosure agreement) you can report it the the CERT coordination center:
>
> Here's the form to report the vulnerability: http://w w w
> .cert.org/reporting/vulnerability_form.txt
>
> and send it to cert_at_cert_dot_org
>
> as well as information on what happens when you report a vulnerability:
> http://w w w.cert.org/kb/vul_disclosure.html
>
> Regards,
> Don
>
> -------- Original Message --------
> Subject: Full Disclosure of Security Vulnerabilities
> From: jfvanmeter@comcast.net
> To: pen-test@securityfocus.com
> Date: 10/31/2007 1:00 PM
> > Hello Everyone, I would llike to get your thoughts on Full Disclosure of
> Security Vulnerabilities . About 3 weeks ago during a per-test of a software
> suite for a client of myine, I found a directory traversal in a software suite
> that my client has installed on thousands of workstation.
> >
> > I send screen shots and a packet capture to the vendor and they were able to
> to recreate the exploit.
> >
> > my cleint doesn't want to go public with it because of the thousands of
> workstations and servers that its installed on. I also don't believe the vendor
> will go public with it, what would you all do?
> >
> > Best Regards --John
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
> >
> >
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: mlevenstein@spohncentral.com: "Re: Full Disclosure of Security Vulnerabilities"
• Previous message: Patrick J Kobly: "Re: Full Disclosure of Security Vulnerabilities"
• Maybe in reply to: jfvanmeter@comcast.net: "Full Disclosure of Security Vulnerabilities"
• Next in thread: mlevenstein@spohncentral.com: "Re: Full Disclosure of Security Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT