RE: Complicated Disclosure Scenario

From: Nathan Anderson (nathanat_private)
Date: Thu Jan 17 2002 - 09:08:46 PST

Next message: Len Rose: "Re: cgate soli86"

Previous message: Nick Lange: "Re: Complicated Disclosure Scenario"
In reply to: Josha Bronson: "Complicated Disclosure Scenario"
Next in thread: Parity: "RE: Complicated Disclosure Scenario"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Josha,

>>I encouraged the vendor to begin their own investigation. They ignored
this, and again stated that they would await my results.<<

	1. If you feel confident in your ability to exploit it then my opinion is
that you offer to do the investigation at an hourly fee.  (Make sure you get
written documentation to any agreement with said vendor)  Your time is
valuable and _they_ are the responsible party for tracking it down and
fixing it -- not you.  So if they want you to track it down, they should pay
you.

	Otherwise:

	You plainly inform them that you will be releasing the advisory in two
weeks or one month and give them the date of release.

Nathan.

Next message: Len Rose: "Re: cgate soli86"
Previous message: Nick Lange: "Re: Complicated Disclosure Scenario"
In reply to: Josha Bronson: "Complicated Disclosure Scenario"
Next in thread: Parity: "RE: Complicated Disclosure Scenario"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 14:00:36 PST