Security Basics mailing list archives
Re: Unresponsive Vendor
From: c_brauckmiller () LEK COM
Date: Thu, 20 Nov 2003 12:00:35 -0500
I have a couple of comments on this. First, and please don't take this the wrong way, let me state that I think that its a bit imature to complain about not getting credit for discovering a bug/vuln in a software package. I understand that you'd like credit for your discovery, but I think your better served just releasing the fact that you have discovered it to the appropriate groups such as BugTraq. That should be credit enough. I wouldn't count on many vendors patting you on the back publicly and saying "Yeah we screwed up and this guy found it." Having said that, if you haven't heard from the vendor in a month with even a status update...I say screw'em...release the exploit. If they don't have the common courtesy to let you know, "Hey..we are working on it." then they are not a very good company to begin with and they should be shown that the security community won't stand for it. After they get nailed a couple times, hopefully they will reconsider their methods. My 2 cents worth. Craig Matt Burnett <marukka () mac com> on 11/19/2003 02:02:57 PM To: security-basics () securityfocus com cc: (bcc: Craig Brauckmiller/LEK) Subject: Unresponsive Vendor I have a moral question for all of you. I have notified a major software company in the past about security issues with their software. I did email them with enough details to replicate the issue. However they never responded to my email, and a couple years later they fixed the issue and did not give credit were due. I'm sure other researchers contacted them with a similar but different way to exploit the flaw, but no one at all is given credit. Now I have a local d0s for their product and have contacted them again, this time via phone. After notifying them they gave me a case number and said a engineer would be in contact with me in approximately a week. I'm guessing that something similar will happen and this issue wont get fixed for a while, and once again I wont get credit. I'm just wondering what would be a fair time frame before releasing a exploit, and what I could/should do about receiving credit. I have looked at some papers online about when you should release a exploit but none i've read yet give any guidance on what you should do if the vendor is dragging their feet. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Unresponsive Vendor Matt Burnett (Nov 20)
- RE: Unresponsive Vendor Bob Beck (Nov 20)
- Re: Unresponsive Vendor Byron Sonne (Nov 20)
- RE: Unresponsive Vendor Bruce Davis (Nov 20)
- <Possible follow-ups>
- RE: Unresponsive Vendor Tim Donahue (Nov 20)
- Re: Unresponsive Vendor JohnNicholson (Nov 20)
- RE: Unresponsive Vendor mrodrigu (Nov 20)
- Re: Unresponsive Vendor Meritt James (Nov 21)
- RE: Unresponsive Vendor Randy Golly (Nov 20)
- Re: Unresponsive Vendor c_brauckmiller (Nov 20)
- Re: Unresponsive Vendor Matt Burnett (Nov 20)
- Re: Unresponsive Vendor Peter Schawacker (Nov 20)
- Re: Unresponsive Vendor Matt Burnett (Nov 21)
- Re: Unresponsive Vendor Matt Burnett (Nov 20)
- Re: Unresponsive Vendor Pieter-Bas IJdens (Nov 21)
- RE: Unresponsive Vendor Meidinger Chris (Nov 21)
- Re: Unresponsive Vendor mrodrigu (Nov 21)
- Re: Unresponsive Vendor Matt Burnett (Nov 21)