Re: Question About Ethics and Full Disclosure

["T.J." <tjtoocool () phreaker net>]

Well...if it's bugging you that much that the software remains 
unpatched, go ahead and post it everywhere. You'd be surprised how 
quickly it will get patched. ;)

Tom wrote:

> I have sat on 2 vulnerabilities for a shopping cart for over a year and
> nothing has changed.  Now I have found a 3rd with new services added to this
> shopping cart. 
>
> I have emailed support several times but NEVER get a response.
> As a security professional and not to be Unethical what would be a
> recommended path to follow?
>         
> * Notify their customers (several 100)
> * Notify the Payment Gateways they are Authorized to use 
> (VeriSign, PayPal, Authorize.NET)
> * Be a total A** and just release it to all the mailing lists and at DEFCON
>
> BTW...I have sent several emails to various parts of VeriSign and NOBODY has
> responded as to the proper person to notify within the organization about
> this. I chose VeriSign because this cart is at the Top of Their List!
>
> IF anyone knows who to contact from VeriSign, authorize.net and PayPal about
> this please email me directly.
>
> Thanks,
>
> Tom Ryan
>
>
>