The 2010 Pwnie Nominee For Lamest Vendor Response

Novell iManager vulnerabilities

Vendor: Novell

The CORE security team never fails to disappoint when it comes to lame vendor responses. Their interaction with the Novell iManager team regarding a buffer overflow and a DoS vulnerability can be summarized in one sentence: “No reply received”

2010-06-02: Paula Gephart from the iManager team notifies she was out of town and the email’s vacation rule has not worked for some reason. The iManager team also notifies that they would like to coordinate a release and they will re-establish the contact as soon as they can find an acceptable release mechanism.
2010-06-02: Core notifies that, given the 2nd publication deadline for the advisory has already passed and the lack of an answer from the iManager team to the questions asked in the email sent in [2010-05-20], it is best (according to the Core’s assessment on how to help users to reduce risk) to inform the vulnerable users about their risk and provide whatever mitigation or workarounds than to postpone disclosure to an uncertain future date. Core also notifies the advisory has already entered within the publication system and it would be hard to stop it, but it can be done if the iManager team provides the answers requested in the previous emails. Core notifies that will be waiting for this information until the end of the day and this deadline should be considered as final. No reply received.
2010-06-02: The advisory CORE-2010-0316 is published.

Read the entire timeline for more laughs.

Read the entire timeline for more laughs.