|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Full-Disclosure] Vendor casual towards vulnerability found in product
From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukh
online.gateway.technolabs.net)
Date: Wed May 26 2004 - 22:45:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> 1. Would an exploit like this be said to be severe?
yes i assume from your email that the url would have to recofig the server from the scratch then not serious but if any file can be deleted then it is serious
> 2. Is the vendor right in their approach to this issue?
no, the vendor should release a full advisory about this and at a minimum release the patch for this
> 3. How do I make public the vulnerability? (Vendor has given
> permission for
> the same)
google around the rain forest puppy's disclosure policy for this, it is really good for this
> 4. Ok, I'll rather ask... *should* I make public details of this
> vulnerability? (Since I know of sites using this app server, and
> they may be
> taken down if the exploit goes out)
>
don't make it public without giving all the people affected a chance to protect their system, however you may release something like a one line description of this and *not* give details to anyone except the vendor
-aditya
________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]