Closed DemanNL closed 3 years ago
attritionorg
commented
3 years ago I don't think we have a single email address set up to go to everyone, and I don't think we can lock this issue to just maintainers + you. Will defer to @sickcodes on establishing a comms channel for these. Once done, we need to add it to the readme here.
sickcodes
commented
3 years ago You can email me: info at sick.codes
You can also use my public key if necessary https://sick.codes/pgp-key/
Cheers @attritionorg for the mention!
sickcodes
commented
3 years ago Recently found a critical vulnerability. Reserved a CVE for it.
However the vendor is threatening my client with breach of contract and tells me not to publish CVE.
I would like to warn about this vendor. However because of this hostile behaviour I want to discuss this in private with someone. How can I reach out to the maintainers?
Once a CVE is reserved, it will be published. I am heavily interested, please email me:
info at sick.codes
attritionorg
commented
3 years ago re: CVE, no. It will only be published if the vendor or researcher disclose the information -and- someone informs MITRE that it has been published. If this is not resolved, the CVE will stay in RESERVED status for eternity unless someone contacts MITRE to REJECT it, but if a valid issue, that is not the correct course of action.
@HiddeSmit Please cc me, jericho at attrition.org. I have experience in dealing with disclosures such as these.
DemanNL
commented
3 years ago Mailed you both. Mitre confirmed that they can change the CVE to rejected.
The vulnerability is patched so all is fine. I'll get the CVE to be rejected I guess. And maybe you guys can include a warning somewhere on the list.
Just don't want others to get burned.
attritionorg
commented
3 years ago Hold off on REJECTing the CVE pending email discussion please?
sickcodes
commented
3 years ago We both spoke to the researcher and it's a complicated situation. Will update if required.
Recently found a critical vulnerability. Reserved a CVE for it.
However the vendor is threatening my client with breach of contract and tells me not to publish CVE.
I would like to warn about this vendor. However because of this hostile behaviour I want to discuss this in private with someone. How can I reach out to the maintainers?