--===============0627730693==
Content-Type: multipart/alternative;
boundary="=====================_125233906==.ALT"

--=====================_125233906==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed

At 03:32 PM 11/28/2006, Francesco P. Lovergine wrote:
>http://secunia.com/advisories/23141/
>
>But for contents, it would be nice knowing if full disclosure is at
>least done after contacting developers :-/

I'm inclined to wonder myself at the timeliness of the notifications
by this "reliable researcher".

http://archives.neohapsis.com/archiv...6-q4/0230.html
"If you think that I never report my bugs to vendors - I do that, sometimes."
(I wonder who asked the question? credibility problems from elsewhere?)

Follow the link in the Secunia report at
http://secunia.com/advisories/23141/ to
http://lists.grok.org.uk/pipermail/f...er/050935.html
IV. CREDIT
Discovered by Evgeny Legerov.
The vulnerability is a part of VulnDisco Pack Professional since
Jan, 2006.

Uh, part of his commercial for-sale package since January? And he's
notifying developers now?

http://elegerov.blogspot.com/
But here he says he notified developers of now patched bug on Nov
17. Then says first version of his package was Nov 07. Then
mentions finding the latest bug months ago, mentioning it on Oct 05.

And on Nov 12 he apparently directly forbids anyone from notifying
the developers, in responding to Matus, saying that purchasers must
respect the license
http://www.gleg.net/vulndisco_profes..._license.shtml
which says in part:
"Purchaser is not allowed to disclose the Pack in whole or
partly, to disclose any information concerning the Pack or
any information derived from the Pack."
which says to me that even if the ProFTPD development team had
purchased the VulnDisco Pack Professional at USD2299 plus USD559 per
quarter they couldn't risk, uh, disclosing fixes derived from the,
uh, paid-for package?

So he _might_ disclose, but others _can't_ disclose, so unless he
wants to brag, nobody can know? This cat-n-mouse smells fishy.
--=====================_125233906==.ALT
Content-Type: text/html; charset="us-ascii"



At 03:32 PM 11/28/2006, Francesco P. Lovergine wrote:



http://secunia.com/advisories/23141/


But for contents, it would be nice knowing if full disclosure is at

least done after contacting developers :-/


I'm inclined to wonder myself at the timeliness of the notifications by
this "reliable researcher".



http://archives.neohapsis.com/archives/dailydave/2006-q4/0230.html

"If you think that I never report my bugs to vendors - I do
that, sometimes."

(I wonder who asked the question?  credibility problems from
elsewhere?)


Follow the link in the Secunia report at

http://secunia.com/advisories/23141/  to


http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050935.html


    IV. CREDIT

    Discovered by Evgeny Legerov.

    The vulnerability is a part of VulnDisco Pack
Professional since Jan, 2006.


Uh, part of his commercial for-sale package since January?  And he's
notifying developers now?



http://elegerov.blogspot.com/

But here he says he notified developers of now patched bug on Nov
17.  Then says first version of his package was Nov 07.  Then
mentions finding the latest bug months ago, mentioning it on Oct
05.


And on Nov 12 he apparently directly forbids anyone from notifying the
developers, in responding to Matus, saying that purchasers must respect
the license

   

http://www.gleg.net/vulndisco_professional_license.shtml

which says in part:

    "Purchaser is not allowed to disclose the Pack in
whole or

     partly, to disclose any information concerning
the Pack or

     any information derived from the
Pack."

which says to me that even if the ProFTPD development team had purchased
the VulnDisco Pack Professional at USD2299 plus USD559 per quarter they
couldn't risk, uh, disclosing fixes derived from the, uh, paid-for
package?


So he _might_ disclose, but others _can't_ disclose, so unless he wants
to brag, nobody can know?  This cat-n-mouse smells fishy.


--=====================_125233906==.ALT--



--===============0627730693==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?p...rge&CID=DEVDEV
--===============0627730693==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
--===============0627730693==--