Among other things I also deal with product vulnerabilities that are reported to us. It's great to be able to work with other security researchers as it allows us to make our products safer and get to know some great people out there. Most of the more "reputable" people and organizations that report vulnerabilities follow some variation of Rain Forest Puppy's "Full Disclosure Policy", which is a good framework for professional researchers and vendors to work together.

While investigating a very recent CAB/RAR scan bypass vulnerability reported to us I came across a post by kurt that links to a sales presentation by n.runs.

Imagine my surprise when I download the presentation and find out that n.runs has already publicly disclosed details of the very same vulnerability it has reported to us not even a week ago and which we're still researching. In their sales presentation they even use this vulnerability as their main argument on why you should buy their product!

Researchers normally release timelines in their disclosures. I think it's a good thing as it allows people to see how slowly or rapidly a vendor deals with reported vulnerabilities. This gave me an idea on how to clearly show the chain of events in this incident:
  Nov. 6:    n.runs initial vulnerability report and PoC to Panda
  Nov. 7:    Panda acknowledges receipt and starts investigating
  Nov. 13:  n.runs publicly discloses Panda as vulnerable
  Nov. 16:  Panda sends comments on vulnerability and PoC to n.runs
  Nov. 16:  n.runs responds to Panda comments (fails to mention the issue is already public)
  Nov. 21:  Panda sends final response to n.runs

I guess this serves as an example of a "specially crafted sales pitch may bypass your very own disclosure policy" vulnerability 🙂

Comments?