Re: Complicated Disclosure Scenario

[Mariusz Mazur <mariusz () isn pl>]

On 2002-01-17 Josha Bronson wrote the folowyng:

JB> This is the problem as it sits. If I reach out to "the community" for
JB> additional assistance with researching this bug I might as well just send
JB> out an advisory. If I release an advisory the vendor will most likely
JB> not have a patch ready, they will feel violated and the user base will
JB> be left open to exploitation with no fix. If I do nothing, the problem
JB> persists and nothing gets accomplished, and maybe someone with not so
JB> good intentions discovers the same bug and uses it to do harm.

JB> So, what would you do?

Well. "The community" doesn't have to be vuln-dev. Pick a couple of
known sec teams and ask them if they have the will and proper equipment
to check wether this thing is exploitable. I'm sure you'll find at least
one willing to take it over from you.



-- 
Mariusz Mazur
"One Ring to bring them all and in the darkness bind them"