[Noisebridge-discuss] security people, can somebody walk me through this whole disclosure business?

Ronald Cotoni setient at gmail.com
Mon Jul 25 23:20:52 UTC 2011

This is a very big gray area, depending where the vuln is.  If this vuln
causes loss of life or perhaps significant loss of revenue, it could be
bad.   I would suggest consulting with someone who has done this previously
like Dan and see how to do this to CYA.

On Mon, Jul 25, 2011 at 2:17 AM, Andy Isaacson <adi at hexapodia.org> wrote:

> On Sat, Jul 23, 2011 at 11:33:28PM -0700, Danny O'Brien wrote:
> > I've been able to deduce a fairly glaring security problem with a
> > widely-available commercial product. Other users have found the same
> > problem, and reported it to the company, but it sounds like they've
> > sat on the problem for at least two months without pushing out a fix.
> > (There's no cleverness here: it really didn't take me very long to
> > work out a workable remote exploit from public information. It's a
> > very clumsy mistake.)
> >
> > Can somebody who has been through this themselves walk me through the
> > actual protocol to formally report this to the company (or gather
> > evidence that they've been aware of the problem), and how to publicise
> > it further through the correct channels?
> The simple way is to write up a description of the problem and email it
> to whatever email addresses you can find at the company, with a note
> that you'll be posting it to full-disclosure on <DATE>.  They're the
> ones at fault here; publishing information about their failure to secure
> their products is you doing them a favor, and you don't need to put
> yourself out any more than necessary.
> Responsible companies have a security contact address, and you can
> generally find them by googling "<company> security contact", but of
> course anyone who hasn't responded to a known issue in two months isn't
> a responsible company.
> -andy
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss

Ronald Cotoni
Systems Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20110725/4c8f7d61/attachment.html>

More information about the Noisebridge-discuss mailing list