I am trying to reach the security contact at Lyris (www.lyris.com). I
sent an email to every address listed on the web site and keep getting
blown off by the operator when I call[1]. The OSVDB Vendor Dictionary has
no contact information listed for Lyris. There are a number of serious,
remotely-exploitable issues in the ListManager product...

-HD

1. On the first call, I asked for product development or someone in the
security department. The operator asked me why I was calling, I explained
that I was trying to report a security vulnerability. Shes asks if I want
sales, I try to explain again why I am calling. I was transferred in
mid-sentence to a voicemail box with no name. I called back again, this
time using their voice menu to transfer to sales. The same operator picks
up the call and I try to explain the situation again. I ask for sales,
she won't forward me because I "don't want to purchase the product". I
ask for customer support, she won't forward me because I am not a current
customer. I explain again that I am trying to do them a favor and that I
really need to contact someone in the product development or security
departments. The call ends.

The official security contact address for Lyris is now
'security@lyris.com'. Many thanks to the dozens of people that replied,
a representative from Lyris contacted me within an hour of the Bugtraq
email going out ;-)

-HD

On Tuesday 21 June 2005 13:17, H D Moore wrote:
> I am trying to reach the security contact at Lyris (www.lyris.com). I
> sent an email to every address listed on the web site and keep getting
> blown off by the operator when I call[1]. The OSVDB Vendor Dictionary
> has no contact information listed for Lyris. There are a number of
> serious, remotely-exploitable issues in the ListManager product...