MustLive mustlive at websecurity.com.ua
Mon Jul 29 16:45:47 EDT 2013

Hello participants of Mailing List.

Is there people in the list who have positive experience in working with ZDI
in 2013?

I'm asking, because I have bad experience in working with ZDI. In the
beginning of December I found multiple vulnerabilities in Avaya product. At
13.12.2012 and 18.12.2012 I informed ZDI by e-mail about them (including
serious vulnerabilities, which allowed to take over admin panel).

I hadn't received any answers from them. So in the end of January I
registered at zerodayinitiative.com and asked them through the site, if they
are interested in such holes. After they answered, that they were interested
in these holes, I've sent them details. After waiting for more then two
months (even they promised at their site to answer during 4-6 weeks), in the
beginning of April I wrote them again. But they only asked to wait for their
response on my advisory. So now they are thinking about these
vulnerabilities already for 6 months.

Meanwhile all clients, which use this Avaya product (and similar holes can
be in many other Avaya's products), are in a risk of compromise. They
demonstrate excessive slowness. At that at ZDI site in 2013 they published a
lot of advisories and announced a lot of new advisories (there are currently
129 advisories pending public disclosure, but without my advisory, on which
they haven't even answered). What experience do you have with ZDI this year?

Best wishes & regards,
Administrator of Websecurity web site

More information about the websecurity mailing list