14 DAY TRIAL // Secunia’s Vulnerability Coordination Reward Program (SVCRP) is used by many security researchers because it offers an efficient way to responsibly disclose security holes. However, because of an error, a couple of vulnerabilities reported to Secunia ended up on a public mailing list.
According to SecurityWeek, Secunia’s Advisory Team Lead, Chaitanya Sharma, wanted to send an email to the “vuln” address at Secunia. However, likely because of the autocomplete feature, the email was erroneously sent to the “vim” address at Attrition.com, the mailing list for Vulnerability Information Managers.
The email contained some details regarding a couple of vulnerabilities in ERDAS ER Viewer, an image viewing app developed by Intergraph that allows customers to view large JPEG 2000 and ECW files.
The freeware application is said to be used by numerous organizations, including ones from the defense sector.
In a statement published after the incident came to light, Morten R. Stengaard, CTO at Secunia, reveals that the vendor in question has been immediately notified. A patch is being prepared to address the vulnerability.
“Secunia is going through all procedures to ensure that this cannot happen in future,” Stengaard explained.