Applied Watch Response to Bugtraq.org post - Was: Multiple Remote Issues in Applied Watch IDS Suite (advisory attached)
Applied Watch Technologies Official Vendor Response
Date: November 28, 2003
Lists:
Applied Watch Technologies embraces and fully supports the open-disclosure
community. Further to that, we embrace responsible disclosure where vendors
are given ample time to develop and release a patch in coordination with any
posts made by the researchers to protect our customers.
In this instance, Applied Watch Technologies, Inc. was not contacted by any
Bugtraq.org (Gobbles) researchers in this advisory they released. Quoting a
news report I was quoted in that had no affiliations with Applied Watch
Technologies or its network from August of 2002 is not what I would call a
reason for no vendor notification or lack there of from Bugtraq.org.
No vendor is immune to posts on Bugtraq. Flaws in code exist, we are very
appreciative for any audits of our product that researchers do, however, in
all fairness; the vendor should be given an opportunity to know about them so
countermeasures can be put in place and made available.
To this end, Applied Watch Technologies has made new versions available for
all pilot evaluations in progress, as well as current customers. New versions
of the Applied Watch Server (v1.4.5) can be downloaded from
https://my.appliedwatch.com. It should be noted that Applied Watch responded
with a fix within an hour of the Bugtraq post being made public.
Based on the Bugtraq.org advisory, Applied Watch understands their
are "hundreds" of other vulnerabilities that have been found. We urge any
researcher at Bugtraq.org to contact us at support@xxxxxxxxxxxxxxxx with
details on these other suspected vulns before going public with them short of
a patch provided by Applied Watch.
Anyone with questions or concerns can contact us toll free at: (877) 262-7593
or support@xxxxxxxxxxxxxxxx
Regards,
Eric Hines
CEO, President
Applied Watch Technologies, Inc.