Re: FW: Publication of Vulnerabilities in Vendor Code

["Kyle Maxwell" <krmaxwell () gmail com>]

On 3/10/06, Brokken, Allen P. <BrokkenA () missouri edu> wrote:
> Are there any kind of industry standard, or recommended guidelines for "going public" with holes you've found in 
> vendor code that have not yet been disclosed by the vendor?

There are a lot of answers to this questions as you'll see just by
Googling for "vulnerability disclosure policy". That said, many of us
follow rain forest puppy's old policy as outlined at
http://www.wiretrip.net/rfp/policy.html, which essentially requires
the vendor to stay in communication with the researcher and make a
good faith effort to fix the problem.

Were I in your shoes, I would contact them, inform them you are
concerned about the lack of communication, and state that you will
disclose it publicly if you hear nothing from them within 5 business
days. If they do in fact respond, you should outline a communication
schedule and a hard date by which they must fix the problem and make
the fix available; help them to understand that their customers are
vulnerable *today* and they should be fixing the problem with all due
speed and care.

--
Kyle Maxwell
http://caffeinatedsecurity.com
[krmaxwell () gmail com]

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1
--------------------------------------------------------------------------