to continue the "it takes two to tango" metaphor, i will say the following (inline): On Wed, 31 Jul 2002, Chris Paget wrote: > 2) R attempts to contact V to reveal the bug. > 3) V does not respond. this is the fault of the vendor for not having a well known and publicized contact point for handling security concerns. furthermore, if publicly published email addresses for the company (ie webmaster, abuse, postmaster, support, security) do NOT have the correct stuff forwarded to the security contact, there is an organizational breakdown for the vendor. this has been beaten to death by this point, there is no reason this should still be the case. > 4) R attempts communication several times over the next 90 days, but > never receives a response. if the researcher doesn't attempt to work with an established third party (ie CERT, SecurityFocus) to get this contact made, they are acting in an irresponsible fashion. at least the researcher waited 90 days, though. so, it does take two to tango, both sides have to have made honest efforts to make sure this process of vulnerability notification can work as smoothly as possible. this has been the subject of many recent discussion, including standards drafts. no excuses for not attempting to adhere to these best practices for either side of the issue. ___________________________ jose nazario, ph.d. jose@monkey.org http://www.monkey.org/~jose/
