Re: Unresponsive Vendor

[Matt Burnett <marukka () mac com>]

Im sorry if you feel that I am being immature, the main reason I would like
credit would be to add it to my resume. I haven't worked in 4.5 months and I
could use all the help I can get. Potential employers ive talked to seem to
like stuff like this. Also I was irked by it because, for other security
flaws they have given the notifier credit. If they never gave anyone credit
I could understand that, but giving credit to people from well known orgs
and not giving credit to just some guy (like me) doesn¹t make much sense.

For the person who gave the broken window analogy. I normally wouldn¹t care
if it was just some random piece of software. However I use this software on
a daily basis. And when I do get another job im sure im going to have to
support it there and worry about the security flaw.

On 11/20/03 11:00 AM, "c_brauckmiller () LEK COM" <c_brauckmiller () LEK COM>
wrote:

> I have a couple of comments on this.
>
> First, and please don't take this the wrong way, let me state that I think
> that
> its a bit imature to complain about not getting credit for discovering a
> bug/vuln in a software package.  I understand that you'd like credit for your
> discovery, but I think your better served just releasing the fact that you
> have
> discovered it to the appropriate groups such as BugTraq.  That should be
> credit
> enough.  I wouldn't count on many vendors patting you on the back publicly and
> saying "Yeah we screwed up and this guy found it."
>
> Having said that, if you haven't heard from the vendor in a month with even a
> status update...I say screw'em...release the exploit.  If they don't have the
> common courtesy to let you know, "Hey..we are working on it." then they are
> not
> a very good company to begin with and they should be shown that the security
> community won't stand for it.  After they get nailed a couple times, hopefully
> they will reconsider their methods.
>
> My 2 cents worth.
>
> Craig
>
>
>
>
> Matt Burnett <marukka () mac com> on 11/19/2003 02:02:57 PM
>
> To:   security-basics () securityfocus com
> cc:    (bcc: Craig Brauckmiller/LEK)
>
> Subject:  Unresponsive Vendor
>
>
>
> I have a moral question for all of you. I have notified a major software
> company in the past about security issues with their software. I did email
> them with enough details to replicate the issue. However they never
> responded to my email, and a couple years later they fixed the issue and did
> not give credit were due. I'm sure other researchers contacted them with a
> similar but different way to exploit the flaw, but no one at all is given
> credit. Now I have a local d0s for their product and have contacted them
> again, this time via phone. After notifying them they gave me a case number
> and said a engineer would be in contact with me in approximately a week. I'm
> guessing that something similar will happen and this issue wont get fixed
> for a while, and once again I wont get credit. I'm just wondering what would
> be a fair time frame before releasing a exploit, and what I could/should do
> about receiving credit. I have looked at some papers online about when you
> should release a exploit but none i've read yet give any guidance on what
> you should do if the vendor is dragging their feet.
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------