Establishing Digital Trust: Don't Sacrifice Security for Convenience
SecurityWeek recently reported that security company Secunia accidentally shared two unpatched vulnerabilities in Intergraph's ERDAS ER image viewing software with a public mailing list (h/t E Hacking News).
According to SecurityWeek's Steve Ragan, it looks like it was an auto-fill error -- while the e-mail from Secunia's Chaitanya Sharma was intended for the "vuln" address at Secunia, the auto-filled address pointed instead to email@example.com, the Vulnerability Information Managers mailing list.
In response, Secunia CTO Morten Rinder Stengaard told Ragan, "The disclosure of the vulnerability was - exactly as you suggest - an error, and instead of cc'ing an internal Secunia e-mail address, the researcher working on the case by accident cc'ed the mailing list."
In a blog post on Secunia's Web site, Stengaard further explained, "Earlier this month, a researcher discovered two vulnerabilities within an application, and were coordinating them via the Secunia SVCRP program. While coordinating with the researcher, one email was accidentally sent from Secunia to a public e-mailing list, thereby making information about one of the vulnerabilities publically available. Upon realizing the mistake, Secunia immediately informed the vendor in question, who is currently working to create a patch for the vulnerability. Secunia is going through all procedures to ensure that this cannot happen in future."