WebApp Sec mailing list archives
Re: FW: Publication of Vulnerabilities in Vendor Code
From: D.Snezhkov <dsnezhkov () gmail com>
Date: Fri, 10 Mar 2006 17:30:17 -0600
Hi Allen, I was faced with similar situation some time ago. I have opted to post the vulnerability on the public list after multiple attempts to work with the vendor. Later on I was contacted by the vendor and found out that the email communication was routed incorrectly within the company due to unconventional issue or just the sheer size of the company. I would advise to making another attempt to contact them by placing a call into the company and getting in touch with the appropriate people . In my experience they may be unaware of the problem and quite interested in fixing the issue. Hope that helps. Dimitry. On 3/10/06, Brokken, Allen P. <BrokkenA () missouri edu> wrote:
Are there any kind of industry standard, or recommended guidelines for "going public" with holes you've found in vendor code that have not yet been disclosed by the vendor? I recently identified a significant hole in a commercial package, and my research has shown that it has not been published in any format to date. I have contacted the vendor, and gave them prototype exploit code that utilized the vulnerability. They have a significant user base, and at this point they have not published a patch, a vulnerability report, or set of mitigation strategies. At this point it's been 4 weeks since my initial identification. I've received an initial acknowledgement email, followed by an email saying they were studying the problem. I have yet to get any kind of schedule or commitment to fix the issue. I would appreciate insights into how to handle this issue. Allen Brokken Information Security and Account Management - IAT Services - University of Missouri -brokkena () missouri edu- (573)884-8708 ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
Current thread:
- FW: Publication of Vulnerabilities in Vendor Code Brokken, Allen P. (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)
- RE: FW: Publication of Vulnerabilities in Vendor Code Sasha Romanosky (Mar 11)
- Re: FW: Publication of Vulnerabilities in Vendor Code Kyle Maxwell (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code leighm (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)