[Full-disclosure] Publicly Disclosing A Vulnerability

From: Josh Perrymon (perrymonj_at_networkarmor.com)
Date: 10/05/05

  • Next message: xyberpix: "Re: [Full-disclosure] Publicly Disclosing A Vulnerability"
    Date: Wed, 5 Oct 2005 09:52:14 -0500
    To: <full-disclosure@lists.grok.org.uk>



    I believe in working with the Vendor to inform then of vulnerable
    software upon finding it in the wild so on...

    But I have a question...


    While performing a pen-test for a large company I found a directory
    transversal vulnerability in a search program-

    I used Achilles and inserted the DT attack in a hidden field and posted
    it to the web server. This returned the win.ini..



    Well... I called the company up and got the lead engineer on the phone..
    He seemed a little pissed.

    He told me that they found the hole internally a couple months ago but
    they don't want it public and they said I should not tell anyone about
    it because they don't want their customers at risk.


    So I ask the list- what is more beneficial to the customer? Not publicly
    disclosing the risk and hoping that they follow the suggestions of the
    vendor to upgrade? Or waiting 30 days and send it out?




    Joshua Perrymon

    Sr. Security Consultant

    Network Armor

    A Division of Integrated Computer Solutions

    perrymonj( at <mailto:perrymonj@networkarmor.com> )networkarmor.com

    Cell. 850.345.9186

    Office: 850.205.7501 x1104



    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: xyberpix: "Re: [Full-disclosure] Publicly Disclosing A Vulnerability"