On Tue, Jul 10, 2007 at 09:39:33PM -0400, Jim Popovitch wrote: > On Tue, 2007-07-10 at 20:20 -0400, Bob Toxen wrote: > > VI. VENDOR RESPONSE
> > The vendor (Wachovia Bank) was notified via their customer service > > phone number on June 25. We were transferred to "web support". The > > person answering asked us to FAX the details to her and we did so, > > also on June 25. We explained that we were reporting a severe > > security problem on their web site. > Severe? All that seems to be leaked is a person's Name/Address/SSN > number and some other details. While this is too much info to leak, I'd > hardly say it's severe. That same info can be easily found in people's > mailboxes weekdays between noon and 4pm. Leaking a SSN is considered serious. My use of the term "severe" was to get their attention. > > We stated that that if we did not hear back from them within 7 days and > > the problem was not fixed by then that we would post the problem on the > > Full Disclosure list, following accepted industry practice. > 7 days? "industry practice"? Come on Bob I know you know that large > corporations can't feed a cat in 7 days let alone make unscheduled > website changes that fast. Change control approvals alone would include > 14 or more days in most enterprises. Why the rush to "say so"? Please read my posting more carefully. I stated that if I did not hear back within 7 days and the problem persisted then I would disclose it. All they had to do was to ask for more time and I would have granted any reasonable extension. Instead, it appears that they ignored my report; discouraging that is what Full Disclosure is all about, IMO. I think that that web page should have been shut down within the hour as any competent web person could have confirmed the leak with a few minutes' inspection of the page source. > -Jim P. Bob _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/