Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
ProtocolAleph One (aleph1nationwide.net)
Fri, 15 May 1998 10:33:37 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Peter van Dijk: "Re: easy DoS in most RPC apps"
- Previous message: Solar Designer: "John the Ripper v1.5"
No more than a few weeks ago I posted a message on this subject. Here we go again. The recommended protocol when reporting security vulnerabilities is: a) Contact the product's vendor or maintainer and give them a one week time to respond. If you don't hear from them post to the list. b) If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. Obviously this will depend on the vulnerability and product and its up to you to make an estimate. If they don't fix it in the alloted time post to the list. When it is advisable to post to the list without contacting the vendor: a) When you cannot find a contact within the vendor to make a report. b) When the vendor will not fix the vulnerability. c) When the product is no longer actively supported. d) When you believe the vulnerability to be actively exploited and not informing the community will cause more harm than good. All this being said, we rather have people report vulnerabilities to the list and not the vendor, whatever their reasons may be, than having them keep the information to themselves. What you don't know _can_ hurt you. Furthermore, any claims that the person posting the vulnerability is liable for any break-ins occurring thereafter are misguided. The only one liable is the vendor that put out the buggy software. Anything else is damage control by the vendor. As always when reporting a vulnerability try to be as precise and complete as you can. Include model numbers, software revisions, patch levels and any other relevant information. It is also recommended you posts details of the vulnerability even after the vendor has released and advisories and/or patches. It is not uncommon for vulnerabilities to affect different vendors and/or products. Without the details it is difficult to determine who else may be affected. Aleph One / aleph1dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01