|
|
BugTraq
Question About Ethics and Full Disclosure May 20 2004 07:43PM Tom (tommy providesecurity com) (2 replies) Re: Question About Ethics and Full Disclosure May 20 2004 10:27PM Michal Zalewski (lcamtuf coredump cx) |
|
Privacy Statement |
unpatched, go ahead and post it everywhere. You'd be surprised how
quickly it will get patched. ;)
Tom wrote:
>I have sat on 2 vulnerabilities for a shopping cart for over a year and
>nothing has changed. Now I have found a 3rd with new services added to this
>shopping cart.
>
>I have emailed support several times but NEVER get a response.
>As a security professional and not to be Unethical what would be a
>recommended path to follow?
>
>* Notify their customers (several 100)
>* Notify the Payment Gateways they are Authorized to use
>(VeriSign, PayPal, Authorize.NET)
>* Be a total A** and just release it to all the mailing lists and at DEFCON
>
>BTW...I have sent several emails to various parts of VeriSign and NOBODY has
>responded as to the proper person to notify within the organization about
>this. I chose VeriSign because this cart is at the Top of Their List!
>
>IF anyone knows who to contact from VeriSign, authorize.net and PayPal about
>this please email me directly.
>
>Thanks,
>
>Tom Ryan
>
>
>
>
[ reply ]