[Noisebridge-discuss] security people, can somebody walk me through this whole disclosure business?

Danny O'Brien danny at spesh.com
Mon Jul 25 16:33:41 PDT 2011


Yes, Dan and I are working on it! If appropriate, I will report in a future 5MOF

d.


On Mon, Jul 25, 2011 at 4:20 PM, Ronald Cotoni <setient at gmail.com> wrote:
> This is a very big gray area, depending where the vuln is.  If this vuln
> causes loss of life or perhaps significant loss of revenue, it could be
> bad.   I would suggest consulting with someone who has done this previously
> like Dan and see how to do this to CYA.
>
> On Mon, Jul 25, 2011 at 2:17 AM, Andy Isaacson <adi at hexapodia.org> wrote:
>>
>> On Sat, Jul 23, 2011 at 11:33:28PM -0700, Danny O'Brien wrote:
>> > I've been able to deduce a fairly glaring security problem with a
>> > widely-available commercial product. Other users have found the same
>> > problem, and reported it to the company, but it sounds like they've
>> > sat on the problem for at least two months without pushing out a fix.
>> > (There's no cleverness here: it really didn't take me very long to
>> > work out a workable remote exploit from public information. It's a
>> > very clumsy mistake.)
>> >
>> > Can somebody who has been through this themselves walk me through the
>> > actual protocol to formally report this to the company (or gather
>> > evidence that they've been aware of the problem), and how to publicise
>> > it further through the correct channels?
>>
>> The simple way is to write up a description of the problem and email it
>> to whatever email addresses you can find at the company, with a note
>> that you'll be posting it to full-disclosure on <DATE>.  They're the
>> ones at fault here; publishing information about their failure to secure
>> their products is you doing them a favor, and you don't need to put
>> yourself out any more than necessary.
>>
>> Responsible companies have a security contact address, and you can
>> generally find them by googling "<company> security contact", but of
>> course anyone who hasn't responded to a known issue in two months isn't
>> a responsible company.
>>
>> -andy
>> _______________________________________________
>> Noisebridge-discuss mailing list
>> Noisebridge-discuss at lists.noisebridge.net
>> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>
>
> --
> Ronald Cotoni
> Systems Engineer
>


More information about the Noisebridge-discuss mailing list