Full Disclosure mailing list archives
Re: University of Central Florida Multiple LFI
From: Hack Talk <hacktalkblog () gmail com>
Date: Sat, 19 Feb 2011 12:46:04 -0500
Hey Shawn, I typically follow the Rain Forest Puppy Responsible Disclosure Policy which I'm sure many people have read. I even extended the contact time to 2 weeks since Universities are quite busy places. During those 2 weeks I personally emailed them back 5 times and did not get a single response back. This is not the first time the University has neglected to respond to vulnerabilities affecting their sites and as such I decided that enough was enough and that by publicly disclosing these vulnerabilities they would be forced to patch their code. I've worked with many Universities in the past to patch there vulnerabilities and they have responded typically within 12 hours of me sending my initial email alerting them to the issue. Being a .edu does not exempt you from hackers wanting into your system and it does not mean you can get away with having gaping holes in security for months without patching them. Full Disclosure as a methodology is about forcing people to fix their holes which is exactly what I was hoping would happen to UCF. Thanks for doing your best to extinguish the flamewar that was starting :D. Luis Santana On Sat, Feb 19, 2011 at 12:40 PM, Shawn Merdinger <shawnmer () gmail com>wrote:
Hi, On Sat, Feb 19, 2011 at 12:04, Hack Talk <hacktalkblog () gmail com> wrote:countless attempt to contact both their infosec team, the "tech rangers", and their personal web developers with no contact back or patching ofthesevulnerabilities I decided to post these up on FD. There are still many, _many_ more vulnerabilities which I have yet to disclose as I'm stillgivingthem a chance to patch them.I'll side-step the discussion of possible ethical and legal ramifications here. However, I humbly suggest there are ways to escalate ones concerns in most organizations, especially open ones like public .edus. For example, one could, after "no contact back" from a .edus security/site owners could notify the .edu's general counsel and president's office, perhaps cc'ing US-CERT and CERT/CC as well. Having your process, intentions and outcomes documented in a disclosure policy that you've provided to all parties from initial communication also might be something to consider. Cheers, --scm
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: University of Central Florida Multiple LFI, (continued)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Benji (Feb 19)
- Re: University of Central Florida Multiple LFI Benji (Feb 19)
- Re: University of Central Florida Multiple LFI Madhur Ahuja (Feb 19)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Shawn Merdinger (Feb 19)
- Re: University of Central Florida Multiple LFI Eyeballing Weev (Feb 19)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Eyeballing Weev (Feb 19)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Shawn Merdinger (Feb 19)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Eyeballing Weev (Feb 19)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 19)
- Re: University of Central Florida Multiple LFI Chris M (Feb 19)
- Re: University of Central Florida Multiple LFI Caspian Kilkelly (Feb 20)
- Re: University of Central Florida Multiple LFI Hack Talk (Feb 20)
- Re: University of Central Florida Multiple LFI Chris M (Feb 20)
- Re: University of Central Florida Multiple LFI Shawn Merdinger (Feb 19)
- Re: University of Central Florida Multiple LFI Benji (Feb 21)
- Re: University of Central Florida Multiple LFI Nikhil Mittal (Feb 21)