FW: Publication of Vulnerabilities in Vendor Code

["Brokken, Allen P." <BrokkenA () missouri edu>]

Are there any kind of industry standard, or recommended guidelines for "going public" with holes you've found in vendor 
code that have not yet been disclosed by the vendor?

I recently identified a significant hole in a commercial package, and my research has shown that it has not been 
published in any format to date.  I have contacted the vendor, and gave them prototype exploit code that utilized the 
vulnerability.  They have a significant user base, and at this point they have not published a patch, a vulnerability 
report, or set of mitigation strategies.   At this point it's been 4 weeks since my initial identification.  I've 
received an initial acknowledgement email, followed by an email saying they were studying the problem.  I have yet to 
get any kind of schedule or commitment to fix the issue.

I would appreciate insights into how to handle this issue. 

 
Allen Brokken
Information Security and Account Management - IAT Services - University of Missouri -brokkena () missouri edu - 
(573)884-8708


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
--------------------------------------------------------------------------