Re: Complicated Disclosure Scenario

From: Florian Weimer (Weimer@CERT.Uni-Stuttgart.DE)
Date: 01/17/02

Previous message: Martin.Farrelly@irishlife.ie: "FW: Complicated Disclosure Scenario"
In reply to: Josha Bronson: "Complicated Disclosure Scenario"
Next in thread: Nick Lange: "Re: Complicated Disclosure Scenario"
Next in thread: Mariusz Mazur: "Re: Complicated Disclosure Scenario"
Reply: Nick Lange: "Re: Complicated Disclosure Scenario"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Josha Bronson <dmuz@slartibartfast.angrypacket.com>
From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Date: Thu, 17 Jan 2002 12:04:10 +0100

Josha Bronson <dmuz@slartibartfast.angrypacket.com> writes:

> So, what would you do?

Write to the vendor and announce the publication of the preliminary
results within, say, two weeks, and rely on Full Disclosure forcing
the vendor to provide a fix. (However, there might be constraints in
your license contracts which could make this illegal.)

I'm surprised that this aspect of Full Disclosure is still necessary
today.

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Previous message: Martin.Farrelly@irishlife.ie: "FW: Complicated Disclosure Scenario"
In reply to: Josha Bronson: "Complicated Disclosure Scenario"
Next in thread: Nick Lange: "Re: Complicated Disclosure Scenario"
Next in thread: Mariusz Mazur: "Re: Complicated Disclosure Scenario"
Reply: Nick Lange: "Re: Complicated Disclosure Scenario"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-Disclosure] its all about timing
... what the vendor does it with. ... >Why do people look for vulnerabilities? ... >- They publish vuln info to make themselves noticed ... Full Disclosure issue must take into account the ...
(Full-Disclosure)
[Full-Disclosure] Wendys Drive-up Order System Information Disclosure
... Wendy's Drive-up Order System Information Disclosure ... Vendor: Wendy's ... this attack was carried out against mi2g ...
(Full-Disclosure)
Re: Winamp - Buffer Overflow In IN_CDDA.dll
... >disturbing when a vendor acts on disclosed information but gives no ... >winamp version 5.05. ... >When winamp opens the malformed playlist file, a first exception will ... >They may also be privileged or otherwise protected from disclosure. ...
(Bugtraq)
[Full-disclosure] Full Disclosure Advisory on Full-Disclosure hax0r3rz
... Classification: Loser Validation ... By keeping an unmoderated mailing list, Full Disclosure has ... This issue has become increasingly disturbing as idiots from all over the ... Vendor Response: None. ...
(Full-Disclosure)
Re: Call to arms - INFORMATION ANARCHY
... Its one thing to prove to a Vendor they have a problem in their code. ... and its not resolved by keeping "Full Disclosure" alive. ... > the Vendor for a vulnerability without accepting responsibility for your ... > feed the feature versus security mentality of many Vendors. ...
(NT-Bugtraq)