[Noisebridge-discuss] security people, can somebody walk me through this whole disclosure business?

Danny O'Brien danny at spesh.com
Sun Jul 24 06:33:28 UTC 2011


I've been able to deduce a fairly glaring security problem with a
widely-available commercial product. Other users have found the same
problem, and reported it to the company, but it sounds like they've
sat on the problem for at least two months without pushing out a fix.
(There's no cleverness here: it really didn't take me very long to
work out a workable remote exploit from public information. It's a
very clumsy mistake.)

Can somebody who has been through this themselves walk me through the
actual protocol to formally report this to the company (or gather
evidence that they've been aware of the problem), and how to publicise
it further through the correct channels?

d.



More information about the Noisebridge-discuss mailing list