HP asks researcher not to tell confidence vulnerabilities
Kurt Grutzmacher has identified confidence vulnerabilities in network apparatus from Huawei and H3C, sum of that he had designed to tell during this weekend’s Toorcon 14 confidence conference. Two days before a conference, H3C’s owners, HP, contacted him with a “cordial and apologetic” voicemail and email seeking him to refrain from doing so.
It can usually be resolved that, during a really final minute, HP contingency have come opposite some astonishing new information that forced a obligatory prolongation of a jointly concluded 45-day non-disclosure duration – as Grutzmacher puts it on his blog, “I’m guessing somebody woke adult on Tuesday morning and went ‘Oh hell, is Toorcon this Saturday?’”
Grutzmacher detected a vulnerabilities in Jul and reported them in August, roughly in together with Felix Lindner’s (FX) display on vulnerabilities in Huawei routers during Defcon. He assessed his exclusively detected vulnerabilities as vicious and had designed to benefaction workarounds enabling influenced users to lessen a risks in his presentation. All of this was famous to a companies involved.
Not but a spirit of derision, a undone discussion presenter explains that a vulnerabilities were “apparently too big” to be published during present. He goes on to explain that he was strongly suggested by other parties to determine to postpone disclosure. Who these other parties were, he does not divulge. His categorical practice is, though, as a network consulting operative during Cisco. He encourages people looking for some-more information associated to a case, or to a confidence vulnerabilities in H3C products, to get in hold with HP’s PR contact.
HP has prior form in a avowal business. The Zero Day Initiative (ZDI), that was acquired by and is now partial of HP, behind a announcement of sum of mixed vulnerabilities with a limit disadvantage measure of 10 until Sep 2012, over a year after notifying HP. ZDI routinely gives a association six months to repair vulnerabilities reported to it before publication. HP appears to have approached this deadline but fear or fixes.