WebApp Sec mailing list archives
FW: Publication of Vulnerabilities in Vendor Code
From: "Brokken, Allen P." <BrokkenA () missouri edu>
Date: Fri, 10 Mar 2006 15:23:45 -0600
Are there any kind of industry standard, or recommended guidelines for "going public" with holes you've found in vendor code that have not yet been disclosed by the vendor? I recently identified a significant hole in a commercial package, and my research has shown that it has not been published in any format to date. I have contacted the vendor, and gave them prototype exploit code that utilized the vulnerability. They have a significant user base, and at this point they have not published a patch, a vulnerability report, or set of mitigation strategies. At this point it's been 4 weeks since my initial identification. I've received an initial acknowledgement email, followed by an email saying they were studying the problem. I have yet to get any kind of schedule or commitment to fix the issue. I would appreciate insights into how to handle this issue. Allen Brokken Information Security and Account Management - IAT Services - University of Missouri -brokkena () missouri edu - (573)884-8708 ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
Current thread:
- FW: Publication of Vulnerabilities in Vendor Code Brokken, Allen P. (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)
- RE: FW: Publication of Vulnerabilities in Vendor Code Sasha Romanosky (Mar 11)
- Re: FW: Publication of Vulnerabilities in Vendor Code Kyle Maxwell (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code leighm (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)