lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 10 Jun 2004 00:46:09 +0200
From: Stefan de Bruijn <s.t.j.debruijn@...dent.utwente.nl>
To: jsklein@...dspring.com, bugtraq@...urityfocus.com
Cc: tommy@...videsecurity.com, frogman@...osecwar.net
Subject: Re: Question About Ethics and Full Disclosure


Just my 2 cents - why reporting it to US-CERT as an exceptional "US"-case? I 
really don't see why US should exclusively be informed about all disclosures of 
vulnerabilities; not to mention the fact that I trust CERT to be reporting the 
disclosures to them if they find that action appropriate.

Greetings,

Stefan de Bruijn.


Joe Klein wrote:

> Below is an outline for my disclosure process.
> 
> 
> Vulnerability Found:
> 
> 1. E-Mail & Call company about finding 
> 	- Document vulnerability
> 	- Document date/time/who you talked to.
> 	- Provide an 'ethical disclosure' reporting deadline 
> 		- one to nine months, depending on the vulnerability
> 	- Inform them you will be reporting them to www.cert.org and
> www.us-cert.gov 
> 
> 2. Report Vulnerability to:
> 	A. www.cert.org :
> http://www.cert.org/reporting/vulnerability_form.txt
> 	B. www.us-cert.gov : cert@...t.org
> 
> ----
> Vulnerability is addressed - day upgrade/patch is released
> 
> 1. Disclose to your favorite list/lists
> 	- Disclose your process
> 	- Disclose your due diligence
> 		- communication to/from company
> 		- posting to cert.org and us-cert.gov
> 	- Disclose the vulnerability
> 
> ----
> Vulnerability not addressed - one to nine months
> 
> 1. E-Mail & Call company
> 	- Documentation of vulnerability
> 	- Documentation of your due diligence
> 		- reporting communication to/from company
> 		- reporting to cert.org and us-cert.gov
> 	- Provide date of disclosure
> 
> Day of Disclosure:
> 
> 1. Disclose to your favorite list/lists
> 	- Disclose your process
> 	- Disclose your due diligence
> 		- communication to/from company
> 		- posting to cert.org and us-cert.gov
> 	- Disclose the vulnerability
> 
> 
> Opinions?
> 
> 
> 
> -----Original Message-----
> From: Kevin E. Casey [mailto:kcasey@...oweb.com] 
> Sent: Thursday, May 20, 2004 4:31 PM
> To: tommy@...videsecurity.com; frogman@...osecwar.net
> Cc: bugtraq@...urityfocus.com; security-basics@...urityfocus.com;
> vuln-dev@...urityfocus.com; webappsec@...urityfocus.com
> Subject: RE: Question About Ethics and Full Disclosure
> 
> 
> Try calling the sales department for the shopping cart vendor.  Tell
> them you hard about the 2 vulnerabilities, thll them that when they are
> fixed, you might perhaps buy their product...  Sales motivates
> development... Or at the least might get you to a person at the vendor
> who cares.
> 
> -----Original Message-----
> From: Tom [mailto:tommy@...videsecurity.com] 
> Sent: Thursday, May 20, 2004 3:43 PM
> To: frogman@...osecwar.net
> Cc: bugtraq@...urityfocus.com; security-basics@...urityfocus.com;
> vuln-dev@...urityfocus.com; webappsec@...urityfocus.com
> Subject: Question About Ethics and Full Disclosure
> 
> 
> I have sat on 2 vulnerabilities for a shopping cart for over a year and
> nothing has changed.  Now I have found a 3rd with new services added to
> this shopping cart. 
> 
> I have emailed support several times but NEVER get a response. As a
> security professional and not to be Unethical what would be a
> recommended path to follow?
> 	
> * Notify their customers (several 100)
> * Notify the Payment Gateways they are Authorized to use (VeriSign,
> PayPal, Authorize.NET)
> * Be a total A** and just release it to all the mailing lists and at
> DEFCON
> 
> BTW...I have sent several emails to various parts of VeriSign and NOBODY
> has responded as to the proper person to notify within the organization
> about this. I chose VeriSign because this cart is at the Top of Their
> List!
> 
> IF anyone knows who to contact from VeriSign, authorize.net and PayPal
> about this please email me directly.
> 
> Thanks,
> 
> Tom Ryan

-- 
Slapen is nuttig. Het zorgt er namelijk voor dat je niet meer hoeft te slapen -
en aangezien slapen compleet nutteloos is, is slapen dus een nuttige bezigheid.


Powered by blists - more mailing lists