Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Disclosure Question: Non-commercial/one off products
Posted by: Jeffuk
Date: October 11, 2007 10:53AM

Hi,

I understand the need for full public disclosure in 'normal' software..

But how should I handle an exploit i've found in one website? Public disclosure wouldn't help anybody, and it puts the personal information exposed with the vulnerability at even greater risk... BUT ... I want the company to do something about the problem, as they're leaking personal data like it was sweat in a brothel...

I've told the company, and the company that wrote their website (apprently they provide leading solutions for London financial institutions . .. I'm putting all my money under my bed right now.) And had no response from either in well over 2 weeks... and no fix.

I've also lodged a formal complaint with the Information commissioner's office, who enforce data protection and privacy issues within the UK.. What else can I do?

This site provides equipment for military personnell (not exclusively, but they make up a large part of their customer base).. and their full details are pretty much publically available through this site... maybe I should contact the MoD and the police too..

Any suggestions would be greatly appreciated.

Jeff...

Options: ReplyQuote
Re: Disclosure Question: Non-commercial/one off products
Posted by: Anonymous User
Date: October 11, 2007 11:29AM

Be amazed how quick they fix it when they get 10K of traffic from your site inspecting the holes. I had found something and put it on my site promptly, couple of hours later it was fixed. I get that a lot, and it really works.

It's a wrong argument that it puts the data at risk, because it already is at risk, maybe for some odd years. Remember we are not the only ones who pentest site for fun, heck some use automated scripts and probably found it before you and uploaded shells cascading the holes to attack other servers.

My opnion is clear: disclose it as fast as you can.

You did your job well, you contacted them.

Options: ReplyQuote
Re: Disclosure Question: Non-commercial/one off products
Posted by: id
Date: October 11, 2007 04:44PM

I agree with Ronald, the only people that are being hurt by it right now are the customers that are in the dark. At least give them a chance to complain/close their accounts/be aware of what information they have out there.

-id

Options: ReplyQuote


Sorry, only registered users may post in this forum.