WebApp Sec mailing list archives
Re: FW: Publication of Vulnerabilities in Vendor Code
From: leighm () linuxbandwagon com
Date: Sat, 11 Mar 2006 12:42:04 +1100
I usually just contact CERT, they are really good for this and have procedures in place
leigh Quoting "Brokken, Allen P." <BrokkenA () missouri edu>:
Are there any kind of industry standard, or recommended guidelines for "going public" with holes you've found in vendor code that have not yet been disclosed by the vendor?I recently identified a significant hole in a commercial package, and my research has shown that it has not been published in any format to date. I have contacted the vendor, and gave them prototype exploit code that utilized the vulnerability. They have a significant user base, and at this point they have not published a patch, a vulnerability report, or set of mitigation strategies. At this point it's been 4 weeks since my initial identification. I've received an initial acknowledgement email, followed by an email saying they were studying the problem. I have yet to get any kind of schedule or commitment to fix the issue.I would appreciate insights into how to handle this issue. Allen BrokkenInformation Security and Account Management - IAT Services - University of Missouri -brokkena () missouri edu - (573)884-8708------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
-- Roses are #FF0000, Violets are #0000FF all of my base, are belong to you ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
Current thread:
- FW: Publication of Vulnerabilities in Vendor Code Brokken, Allen P. (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)
- RE: FW: Publication of Vulnerabilities in Vendor Code Sasha Romanosky (Mar 11)
- Re: FW: Publication of Vulnerabilities in Vendor Code Kyle Maxwell (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code leighm (Mar 10)
- Re: FW: Publication of Vulnerabilities in Vendor Code D . Snezhkov (Mar 10)