Pwning Automize Password Encryption
- 13/12/16 Vulnerabilities Discovered
- 17/12/16 Vendor Notified: Notified of vulnerabilities, requested channel for secure comms (no reply).
- 17/12/16 CVEs Requested
- xx/xx/xx Contact Vendor again
- xx/xx/xx Reply from Vendor: Not really interested - suggested to implement mitigating network defenses to prevent server hosting Automize being from compromised.
- 03/01/17 CVEs Assigned
- xx/xx/xx Update to Vendor: Provided CVE details and final confirmation of any plans to fix.
- xx/xx/xx Reply from Vendor: Added to wishlist for 12.x, but no plans to issue a patch for older versions.
- 14/01/17 Public Disclosure
- sizzop - he knows why :)
- CVE Assignment Team for accepting these requests, even though this vendor normally out of scope.