[Full-Disclosure] Vendor casual towards vulnerability found in product
ge at egotistical.reprehensible.net
Wed May 26 16:29:56 BST 2004
-----BEGIN PGP SIGNED MESSAGE-----
| I have the following queries
| 1. Would an exploit like this be said to be severe?
| 2. Is the vendor right in their approach to this issue?
No. They are irresponsible and using their software would be a mistake.
| 3. How do I make public the vulnerability? (Vendor has given
| the same)
Well, I'd suggest timing it with them for their next release. If that
release is farther away than say.. whatever time period over 2 months..
threaten to publish it.
You could always contact securiteam.com for their assistance in
contacting the vendor, and verifying that you did prior to releasing it.
They provide such services.
Aside to using SecuriTeam's help (which I strongly recommend), try
| 4. Ok, I'll rather ask... *should* I make public details of this
| vulnerability? (Since I know of sites using this app server, and they
| taken down if the exploit goes out)
Sites will go down.
Should you? If you followed all the ethical standards and waited an
acceptable period of time.. you *could* and no one would look badly at
You could always sit on it if you'd like to feel more responsible with
yourself, I think you were very responsible, ALREADY) and once released
you can release more data on the issue.
| Your feedback would help.
The final decision should be yours. Take into account anything people
tell you, but make your own decision.
Don't listen to people who tell you that you are irresponsible, if you
first followed all the "rules". It is irresponsible to let such a
vulnerability exist without a patch.
Also, be responsible and DO follow the rules.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
-----END PGP SIGNATURE-----
Full-Disclosure is hosted and sponsored by Secunia.