Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: University of Central Florida Multiple LFI

From: Hack Talk <hacktalkblog () gmail com>
Date: Sat, 19 Feb 2011 12:46:04 -0500
Hey Shawn,

I typically follow the Rain Forest Puppy Responsible Disclosure Policy which
I'm sure many people have read. I even extended the contact time to 2 weeks
since Universities are quite busy places. During those 2 weeks I personally
emailed them back 5 times and did not get a single response back. This is
not the first time the University has neglected to respond to
vulnerabilities affecting their sites and as such I decided that enough was
enough and that by publicly disclosing these vulnerabilities they would be
forced to patch their code. I've worked with many Universities in the past
to patch there vulnerabilities and they have responded typically within 12
hours of me sending my initial email alerting them to the issue. Being a
.edu does not exempt you from hackers wanting into your system and it does
not mean you can get away with having gaping holes in security for months
without patching them.

Full Disclosure as a methodology is about forcing people to fix their holes
which is exactly what I was hoping would happen to UCF.

Thanks for doing your best to extinguish the flamewar that was starting :D.


Luis Santana



On Sat, Feb 19, 2011 at 12:40 PM, Shawn Merdinger <shawnmer () gmail com>wrote:


Hi,

On Sat, Feb 19, 2011 at 12:04, Hack Talk <hacktalkblog () gmail com> wrote:

countless attempt to contact both their infosec team, the "tech rangers",
and their personal web developers with no contact back or patching of

these

vulnerabilities I decided to post these up on FD. There are still many,
_many_ more vulnerabilities which I have yet to disclose as I'm still

giving

them a chance to patch them.


I'll side-step the discussion of possible ethical and legal ramifications
here.

However, I humbly suggest there are ways to escalate ones concerns in
most organizations, especially open ones like public .edus.  For
example, one could, after "no contact back" from a .edus security/site
owners could notify the .edu's general counsel and president's office,
perhaps cc'ing US-CERT and CERT/CC as well.  Having your process,
intentions and outcomes documented in a disclosure policy that you've
provided to all parties from initial communication also might be
something to consider.

Cheers,
--scm


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: