Security Contact for Lyris

To: BUGTRAQ <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Security Contact for Lyris
From: H D Moore <sflist@xxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Jun 2005 13:17:08 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: KMail/1.8

I am trying to reach the security contact at Lyris (www.lyris.com).  I 
sent an email to every address listed on the web site and keep getting 
blown off by the operator when I call[1]. The OSVDB Vendor Dictionary has 
no contact information listed for Lyris. There are a number of serious, 
remotely-exploitable issues in the ListManager product...

-HD

1. On the first call, I asked for product development or someone in the 
security department. The operator asked me why I was calling, I explained 
that I was trying to report a security vulnerability. Shes asks if I want 
sales, I try to explain again why I am calling. I was transferred in 
mid-sentence to a voicemail box with no name. I called back again, this 
time using their voice menu to transfer to sales. The same operator picks 
up the call and I try to explain the situation again. I ask for sales, 
she won't forward me because I "don't want to purchase the product". I 
ask for customer support, she won't forward me because I am not a current 
customer. I explain again that I am trying to do them a favor and that I 
really need to contact someone in the product development or security 
departments. The call ends.

Follow-Ups:
- Re: Security Contact for Lyris
  - From: H D Moore

Prev by Date: [USN-141-1] tcpdump vulnerability
Next by Date: MercuryBoard 1.1.4 SQL Injection
Previous by thread: [USN-141-1] tcpdump vulnerability
Next by thread: Re: Security Contact for Lyris
Index(es):
- Date
- Thread