Ipswitch Means Business

A while back I was fuzzing with Hzzp and found a remote format string vulnerability in Ipswitch’s WS_FTP. But, I couldn’t find a security contact for Ipswitch. I waited a few months and made the vulnerability public. The day afterwards, a representative from Ipswitch contacted me and I explained why I hadn’t contacted them previously. He was eager to get the vulnerability fixed and made the comment that they’ll need to do a better job publicizing the security contact information. I was happy to have had received a more professional, non-automated email from someone who seemed to care about the security of their company’s product.

I didn’t worry too much about the update process. I know it can take some companies months or even years to release new patches for vulnerabilities in their products, which most of the time is completely unreasonable. Then, a little more than two weeks later, I received an email from that same Ipswitch representative informing me that a new release of WS_FTP was available and the date in the Help->About window should say Sept 18th (10 days after we discussed the vulnerability). What an excellent example of how vendors should handle security issues within their products.

Fast response, efficient security policy, good business. Thanks Ipswitch!

  • http://clinta.ecol.net hapbt

    i know different people can have different experiences with the same company, but i ran imail from ipswitch for many years and after 10 came out, it was like the iis portion of it was beyond the comprehension of their tech support. we had some major issues with it basically not working, being unresponsive, and i went back and forth with them for months, and basically felt like i got blown off after the problem became too much of a pain for them to deal with. frustrating. now had you tried to get them to track down the security hole while you were experiencing an attack instead of basically fixing their software for them for free, i bet your experience would have been different :)
    also you dont see them backporting ANY of their security fixes, ipswitch is upgrade-or-die all the way, and it sucks. and on top of it, they now require activation of server software which although more and more popular is an administrative headache sometimes.
    in the end i moved to mdaemon which was cheaper to buy and get support for than to keep upgrading on the $2000-a-year imail train.
    and ws_ftp still isnt as good of a client as filezilla, which is free.