Applied Watch Response to Bugtraq.org post - Was: Multiple Remote Issues in Applied Watch IDS Suite (advisory attached)

From: Eric Hines (eric.hines_at_appliedwatch.com)
Date: 11/28/03

  • Next message: Hat-Squad Security Team: "[Hat-Squad] phpBB search_id injection exploit" 
    Date: Fri, 28 Nov 2003 13:02:41 -0800
To: research@bugtraq.org, bugtraq@securityfocus.com

    Applied Watch Technologies Official Vendor Response
    Date: November 28, 2003

    Lists:

    Applied Watch Technologies embraces and fully supports the open-disclosure
    community. Further to that, we embrace responsible disclosure where vendors
    are given ample time to develop and release a patch in coordination with any
    posts made by the researchers to protect our customers.

    In this instance, Applied Watch Technologies, Inc. was not contacted by any
    Bugtraq.org (Gobbles) researchers in this advisory they released. Quoting a
    news report I was quoted in that had no affiliations with Applied Watch
    Technologies or its network from August of 2002 is not what I would call a
    reason for no vendor notification or lack there of from Bugtraq.org.

    No vendor is immune to posts on Bugtraq. Flaws in code exist, we are very
    appreciative for any audits of our product that researchers do, however, in
    all fairness; the vendor should be given an opportunity to know about them so
    countermeasures can be put in place and made available.

    To this end, Applied Watch Technologies has made new versions available for
    all pilot evaluations in progress, as well as current customers. New versions
    of the Applied Watch Server (v1.4.5) can be downloaded from
    https://my.appliedwatch.com. It should be noted that Applied Watch responded
    with a fix within an hour of the Bugtraq post being made public.

    Based on the Bugtraq.org advisory, Applied Watch understands their
    are "hundreds" of other vulnerabilities that have been found. We urge any
    researcher at Bugtraq.org to contact us at support@appliedwatch.com with
    details on these other suspected vulns before going public with them short of
    a patch provided by Applied Watch.

    Anyone with questions or concerns can contact us toll free at: (877) 262-7593
    or support@appliedwatch.com

    Regards,
    Eric Hines
    CEO, President
    Applied Watch Technologies, Inc.

  • Next message: Hat-Squad Security Team: "[Hat-Squad] phpBB search_id injection exploit"