Re: Full Disclosure of Security Vulnerabilities
- From: arif.jatmoko@xxxxxxxxxxxxxxxx
- Date: Fri, 23 May 2008 16:56:36 +0700
I have the same situation some time ago. Somehow, the way and when we can
disclose the vulnerability depend on your agreement between you and your
client. On the right hand, as a security professional you should push the
software maker to also consider other client that may affected this
vulnerability as well. How their other customer should address this
vulnerability without disclosing, ... etc, so on.
Cheers,
Arif Jatmoko
InfoSec Officer - Coca-Cola Bottling Indonesia
|-----------------------------+-------------------------------------------|
|jfvanmeter@xxxxxxxxxxx | |
|Sent by: | |
|listbounce@xxxxxxxxxxxxxxxxx | To|
| | pen-test@securityfoc|
|11/01/2007 03:21 AM | us.com |
| | cc|
| | |
| | Subject|
| | Full Disclosure of |
| | Security |
| | Vulnerabilities |
| | |
| | |
| | |
| | |
| | |
| | |
|-----------------------------+-------------------------------------------|
Hello Everyone, I would llike to get your thoughts on Full Disclosure of
Security Vulnerabilities . About 3 weeks ago during a per-test of a
software suite for a client of myine, I found a directory traversal in a
software suite that my client has installed on thousands of workstation.
I send screen shots and a packet capture to the vendor and they were able
to to recreate the exploit.
my cleint doesn't want to go public with it because of the thousands of
workstations and servers that its installed on. I also don't believe the
vendor will go public with it, what would you all do?
Best Regards --John
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
_______________________________________________________________________________
Visit us at www.coca-colabottling.co.id
CAUTION:
This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message, you are hereby notified that any use, dissemination,distribution, or reproduction of this message is prohibited. If you have received this message in error, please notify Coca-Cola Bottling Indonesia immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Coca-Cola Bottling Indonesia.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- Prev by Date: Re: username and Password sent as clear text strings
- Next by Date: RE: Vuln Scanner for Web App Source Code
- Previous by thread: WarDialing: can't identify the system (binary signature)
- Next by thread: anti-spam appliance testing
- Index(es):
Relevant Pages
|
|
