[VIM] Q2 Solutions ConnX - timeline

security curmudgeon jericho at attrition.org
Tue Apr 7 02:24:56 UTC 2009



  Vendor refused to comment on whether they would develop a patch or even notify
  existing client base.

  Workaround: Remove ConnX server from public Internet access and protect behind
  corporate firewalls, SSL-VPN, web application firewall etc.

Disclosure timeline:
  30-Oct-2008 - Discovered during audit.
  05-Nov-2008 - Notified vendor. Vendor declined to comment.
  01-Dec-2008 - Submitted full details to vendor.
  18-Dec-2008 - Attempted to contact vendor again for a patch release date.
  18-Dec-2008 - And again...
  18-Dec-2008 - Vendor response, no patch - "We support our clients,
                not independent contractors."
  03-Apr-2009 - Disclosure.

More information about the VIM mailing list