Re: Cisco TFTPD 1.1 Vulerablity

[Jim Duncan <jnduncan () cisco com>]

Siberian writes:
> [Sentry Research Labs - ID0201061701]
> (c) 2001 by www.sentry-labs.com
> [...]
> Topic: 
> Security Bug in CISCO TFTPD server 1.1 
>
> Vendor Status:
> Informed (06/17/01)

Just for the record, I checked with my teammates and can't find any 
record that you contacted the Cisco Product Security Incident Response 
Team (PSIRT).  We're the group that handles vulnerabilities in all 
Cisco products and we're easily reachable.  It would've been more 
helpful if you had contacted us privately beforehand and given us an 
opportunity to make fixed code available before you posted the 
vulnerability.

If you did contact someone at Cisco, could you let us know who that was
so we can follow up with that person?  We'd like to make sure the
process works as best as it can.  If I am in error, please correct me.

I have not yet validated the vulnerability, but will look into it as 
soon as possible.

Regardless of the path the report took to get to us, we appreciate the 
time and effort that goes into such reporting.  Ultimately, everybody 
benefits from full disclosure of product security vulnerabilities.

Thanks.

        Jim



==
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
E-mail: <jnduncan () cisco com>  Phone(Direct/FAX): +1 919 392 6209