[Noisebridge-discuss] security people, can somebody walk me through this whole disclosure business?

Andy Isaacson adi at hexapodia.org
Mon Jul 25 02:17:58 PDT 2011


On Sat, Jul 23, 2011 at 11:33:28PM -0700, Danny O'Brien wrote:
> I've been able to deduce a fairly glaring security problem with a
> widely-available commercial product. Other users have found the same
> problem, and reported it to the company, but it sounds like they've
> sat on the problem for at least two months without pushing out a fix.
> (There's no cleverness here: it really didn't take me very long to
> work out a workable remote exploit from public information. It's a
> very clumsy mistake.)
> 
> Can somebody who has been through this themselves walk me through the
> actual protocol to formally report this to the company (or gather
> evidence that they've been aware of the problem), and how to publicise
> it further through the correct channels?

The simple way is to write up a description of the problem and email it
to whatever email addresses you can find at the company, with a note
that you'll be posting it to full-disclosure on <DATE>.  They're the
ones at fault here; publishing information about their failure to secure
their products is you doing them a favor, and you don't need to put
yourself out any more than necessary.

Responsible companies have a security contact address, and you can
generally find them by googling "<company> security contact", but of
course anyone who hasn't responded to a known issue in two months isn't
a responsible company.

-andy


More information about the Noisebridge-discuss mailing list