|
|
|
|
|
|
by Arnt
981 days ago
|
|
|
Suppose that I'm actively exploiting your software. Then I'm in a position where I can describe the exploit, but you may not be. After all I'm hardly eager to tell you how I'm doing it. Once you discover that it's happening, you know there is an exploit so you know at least that the vulnerability exists. The discovery probably tells you something about the vulnerability, but how much? The last one I heard about in any detail was discovered when they noticed that an uplink was at 100% utilisation and realised that it was due to data being exfiltrated. That didn't tell them much about how the intruder gained the ability to exfiltrate the data. Do you know enough to describe it? I know enough, but you're the one who's required to write a notification. Can you describe the vulnerability that's the subject of your notification? |
|
|
Just report whatever you knew already. ... and prepare to join endless meetings with no time work on the problem. /s