Applied Watch Technologies Official Vendor Response Date: November 28, 2003 Lists: Applied Watch Technologies embraces and fully supports the open-disclosure community. Further to that, we embrace responsible disclosure where vendors are given ample time to develop and release a patch in coordination with any posts made by the researchers to protect our customers. In this instance, Applied Watch Technologies, Inc. was not contacted by any Bugtraq.org (Gobbles) researchers in this advisory they released. Quoting a news report I was quoted in that had no affiliations with Applied Watch Technologies or its network from August of 2002 is not what I would call a reason for no vendor notification or lack there of from Bugtraq.org. No vendor is immune to posts on Bugtraq. Flaws in code exist, we are very appreciative for any audits of our product that researchers do, however, in all fairness; the vendor should be given an opportunity to know about them so countermeasures can be put in place and made available. To this end, Applied Watch Technologies has made new versions available for all pilot evaluations in progress, as well as current customers. New versions of the Applied Watch Server (v1.4.5) can be downloaded from https://my.appliedwatch.com. It should be noted that Applied Watch responded with a fix within an hour of the Bugtraq post being made public. Based on the Bugtraq.org advisory, Applied Watch understands their are "hundreds" of other vulnerabilities that have been found. We urge any researcher at Bugtraq.org to contact us at support@appliedwatch.com with details on these other suspected vulns before going public with them short of a patch provided by Applied Watch. Anyone with questions or concerns can contact us toll free at: (877) 262-7593 or support@appliedwatch.com Regards, Eric Hines CEO, President Applied Watch Technologies, Inc.