[34991] in bugtraq
Re: Question About Ethics and Full Disclosure
daemon@ATHENA.MIT.EDU (T.J.)
Thu May 20 19:08:14 2004
Message-ID: <40AD2673.4040304@phreaker.net>
Date: Thu, 20 May 2004 14:43:15 -0700
From: "T.J." <tjtoocool@phreaker.net>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Cc: vuln-dev@securityfocus.com, webappsec@securityfocus.com
In-Reply-To: <200405201543390.SM01396@ARCHANGEL>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Well...if it's bugging you that much that the software remains
unpatched, go ahead and post it everywhere. You'd be surprised how
quickly it will get patched. ;)
Tom wrote:
>I have sat on 2 vulnerabilities for a shopping cart for over a year and
>nothing has changed. Now I have found a 3rd with new services added to this
>shopping cart.
>
>I have emailed support several times but NEVER get a response.
>As a security professional and not to be Unethical what would be a
>recommended path to follow?
>
>* Notify their customers (several 100)
>* Notify the Payment Gateways they are Authorized to use
>(VeriSign, PayPal, Authorize.NET)
>* Be a total A** and just release it to all the mailing lists and at DEFCON
>
>BTW...I have sent several emails to various parts of VeriSign and NOBODY has
>responded as to the proper person to notify within the organization about
>this. I chose VeriSign because this cart is at the Top of Their List!
>
>IF anyone knows who to contact from VeriSign, authorize.net and PayPal about
>this please email me directly.
>
>Thanks,
>
>Tom Ryan
>
>
>
>
