Full Disclosure mailing list archives
Re: Publicly Disclosing A Vulnerability
From: FX <fx () phenoelit de>
Date: Wed, 5 Oct 2005 18:38:27 +0200
Hi List, Hi Josh, with all due respect for your work and your desire to perform responsible disclosure, did you perform the test for a client of NetworkArmor? If so, your company states on their web page : "The NetworkArmor division of Integrated Computer Solutions, Inc. provides military-grade Information Security (InfoSec) Consulting Services to enterprise-class commercial businesses, non-profit organizations, educational institutions, and government agencies. Our certified InfoSec experts guide clients in developing comprehensive programs to secure information assets." I don't know about the military part, but in enterprise-class, it's usually pretty clear who owns the vulnerability found on a paid for pen-test. Therefore, as others already pointed out, it should not be your call to disclose the vulnerability. My advise would be to focus on your customer and see what would be beneficial for him, which in this case probably is a fix from the vendor. This, in turn, would also be beneficial for the other customers of this vendor, since the fix would be produced and others could patch as well. And if your customer or the vendor publishes, they might even give you credit. cheers FX -- FX <fx () phenoelit de> Phenoelit (http://www.phenoelit.de) 672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Publicly Disclosing A Vulnerability, (continued)
- Re: Publicly Disclosing A Vulnerability c0ntex (Oct 05)
- Re: Publicly Disclosing A Vulnerability phased (Oct 05)
- Re: Publicly Disclosing A Vulnerability Steve Friedl (Oct 05)
- Re: Publicly Disclosing A Vulnerability Valdis . Kletnieks (Oct 05)
- Re: Publicly Disclosing A Vulnerability Donald J. Ankney (Oct 05)
- Re: Publicly Disclosing A Vulnerability Simon Richter (Oct 05)
- Re: Publicly Disclosing A Vulnerability Martijn Lievaart (Oct 05)
- RE: Publicly Disclosing A Vulnerability Paul Melson (Oct 05)
- RE: Publicly Disclosing A Vulnerability Adriel Desautels (Oct 05)
- RE: Publicly Disclosing A Vulnerability Todd Towles (Oct 05)
- Re: Publicly Disclosing A Vulnerability FX (Oct 05)
- RE: Publicly Disclosing A Vulnerability Josh Perrymon (Oct 05)