Firm To Release Database, Web Server 0-Days

krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."

Re:Responsible Disclosure

[HarrisonFisk]

The problem is that they are not contacting vendors anymore at all since some of the previous times the vendor was slow or didn't react.

I work for one of the affected projects and can tell you that we did not get contacted by them via any of our normal, well publicized methods (email, phone calls, etc...).

I agree that if a vendor does not reply then it is totally okay to disclose it to force their hand. However, disclosing it immediately to the public and giving the vendor no chance to fix it (even a few days) is wrong imo.

Re:Why not?

[HarrisonFisk]

The problem is that he isn't contacting the vendors in this case. He said that in the past he has tried contacting them (in the general sense, not these vendors specifically) and some of them didn't reply so from now on, all vendors are not going to be contacted.

I work for one of the projects affected and know that they did not contact us in this case. If he had, we would have happily fixed the issue within a day or two. Instead our users are being put on the line as dumb script kiddies try out their new exploit while we finish up the bug fix.

Re:What's up with the confusing article title?

[Myopic]

Oh hi! You must be my former student, Little Bobby Tables!