Standard procedure for security vulnerabilities.........

Toggle sidebar Toggle sidebar
C

Codewiz

Diamond Member
Jan 23, 2002
5,758
0
76
Ok, a co-worker of mine found a critical flaw in some software we both use. We were examining it and how they implemented some capabilities in a secure manner. We found that there are some serious issues with their implementation and we do not believe there will be an easy fix.

Anyways, my co-worker has let the company know about the issue and provided a proof of concept demonstrating the flaw. How long should a person wait for a company to either fix the problem or warn their users of the possible consequences from continued use?

The severity of the flaw is just so mind-blowing, we just can't see letting the company sit on this for weeks while people could really be damaged by it.
 
Z

Zugzwang152

Lifer
Oct 30, 2001
12,134
1
0
Is this software something your company purchased? There may be language in the contract about resolving security vulnerabilities. I would also report it to your IT and/or information security departments.
 
degibson

degibson

Golden Member
Mar 21, 2008
1,389
0
0
Originally posted by: Codewiz
Ok, a co-worker of mine found a critical flaw in some software we both use. We were examining it and how they implemented some capabilities in a secure manner. We found that there are some serious issues with their implementation and we do not believe there will be an easy fix.

Anyways, my co-worker has let the company know about the issue and provided a proof of concept demonstrating the flaw. How long should a person wait for a company to either fix the problem or warn their users of the possible consequences from continued use?

The severity of the flaw is just so mind-blowing, we just can't see letting the company sit on this for weeks while people could really be damaged by it.
Click to expand...

I've been in this position myself, twice, with two companies, whose names I will change to protect the innocent.

Company A, upon hearing of my discovery of a similar flaw, was immediately concerned, thanked me heartedly, and set about fixing things right away. A fix was out within a week.

Company B, larger and more "established" than Company A, thanked me for my "criticism" and proceeded to ignore the problem altogether.

So, Codewiz, I'd say that if you haven't heard a reply within a week, assume your software provider doesn't care and switch to something that is secure.
 
C

Codewiz

Diamond Member
Jan 23, 2002
5,758
0
76
The company eventually responded and have since taken down the feature.

If they had not taken it down, I believe it would have been a blood bath if we had gone to the media with this vulnerability.

We doubt this feature will be back from the company because we just don't feel there is a secure way to implement it.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom