Security Basics mailing list archives

RE: Unresponsive Vendor

From: Meidinger Chris <chris.meidinger () badenit de>
Date: Fri, 21 Nov 2003 12:14:13 +0100

I was going to recommend reading that as well -- as you already did, i will
simply second the recommendation. The timeframe that rain forest puppy laid
out in that paper is appropriate.

Chris Meidinger
IT Technology and Services

badenIT GmbH
Innovationstechnologie für Ihre Zukunft

Tel. +49 761 279 2280
Fax. +49 761 279 2200

Tullastrasse 70
79108 Freiburg
Deutschland 

-----Original Message-----
From: Bruce Davis [mailto:talesian () istop com]
Sent: Thursday, November 20, 2003 9:36 PM
To: Matt Burnett; security-basics () securityfocus com
Subject: RE: Unresponsive Vendor


I'm not sure how many vendors will say that it is standard but amoung the
hacking community that does notify vendors of exploits, I believe that the
RFP policy is considered to be standard and fair. As well as being fairly
straight forward.

http://www.wiretrip.net/rfp/policy.html

-----Original Message-----
From: Matt Burnett [mailto:marukka () mac com]
Sent: November 19, 2003 2:03 PM
To: security-basics () securityfocus com
Subject: Unresponsive Vendor


I have a moral question for all of you. I have notified a major software
company in the past about security issues with their software. I did email
them with enough details to replicate the issue. However they never
responded to my email, and a couple years later they fixed the issue and did
not give credit were due. I'm sure other researchers contacted them with a
similar but different way to exploit the flaw, but no one at all is given
credit. Now I have a local d0s for their product and have contacted them
again, this time via phone. After notifying them they gave me a case number
and said a engineer would be in contact with me in approximately a week. I'm
guessing that something similar will happen and this issue wont get fixed
for a while, and once again I wont get credit. I'm just wondering what would
be a fair time frame before releasing a exploit, and what I could/should do
about receiving credit. I have looked at some papers online about when you
should release a exploit but none i've read yet give any guidance on what
you should do if the vendor is dragging their feet.


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Unresponsive Vendor, (continued)
- RE: Unresponsive Vendor Tim Donahue (Nov 20)
- Re: Unresponsive Vendor JohnNicholson (Nov 20)
- RE: Unresponsive Vendor mrodrigu (Nov 20)
  - Re: Unresponsive Vendor Meritt James (Nov 21)
- RE: Unresponsive Vendor Randy Golly (Nov 20)
- Re: Unresponsive Vendor c_brauckmiller (Nov 20)
  - Re: Unresponsive Vendor Matt Burnett (Nov 20)
    - Re: Unresponsive Vendor Peter Schawacker (Nov 20)
    - Re: Unresponsive Vendor Matt Burnett (Nov 21)
  - Re: Unresponsive Vendor Pieter-Bas IJdens (Nov 21)
- RE: Unresponsive Vendor Meidinger Chris (Nov 21)
- Re: Unresponsive Vendor mrodrigu (Nov 21)
- Re: Unresponsive Vendor Matt Burnett (Nov 21)