From: Mike Caudill (mcaudillcisco.com)
Date: Thu Jun 05 2003 - 21:59:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Hello,
>
> I have run into a hard decision - i just dicovered a bug in
> <someserver> which <some large company> runs and is only
> accessible to the clients of <the company> - it's an auth
> server, somewhere tied together with Cisco router w/ SSG and
> RADIUS authentication.
>
> Due to bug, any source file can be read and the <the company> has spent
> thousands of $ for making the system.
>
> Whats the best - report the bug and possible workarounds or let it
> stay?
> What i am nervous of is that the <the company> could 'kick' me later
> for seeing the sources.
>
> P.Krumins

Peter,

CERT/CC has a checkbox on their vulnerability reporting form to keep the
reporter's information confidential from the affected vendors. See their
form at

        http://www.cert.org/reporting/vulnerability_form.txt

If you dont feel comfortable going to the affected vendors directly, there
is always the option of using a trusted 3rd party like CERT/CC and having
them contact the vendors on your behalf.

- -Mike-

- --
- ----------------------------------------------------------------------------
| || || | Mike Caudill | mcaudillcisco.com |
| || || | PSIRT Incident Manager | 919.392.2855 |
| |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
| ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
- ----------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPuADjopjyUnrvVJxEQJX7ACg80UaFE2pRCF1gbBRzRKg/cilPeQAoLdP
fekIMRYxavhJDJd4WyBlVl6M
=tp+w
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]