lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Jun 2004 00:46:09 +0200 From: Stefan de Bruijn <s.t.j.debruijn@...dent.utwente.nl> To: jsklein@...dspring.com, bugtraq@...urityfocus.com Cc: tommy@...videsecurity.com, frogman@...osecwar.net Subject: Re: Question About Ethics and Full Disclosure Just my 2 cents - why reporting it to US-CERT as an exceptional "US"-case? I really don't see why US should exclusively be informed about all disclosures of vulnerabilities; not to mention the fact that I trust CERT to be reporting the disclosures to them if they find that action appropriate. Greetings, Stefan de Bruijn. Joe Klein wrote: > Below is an outline for my disclosure process. > > > Vulnerability Found: > > 1. E-Mail & Call company about finding > - Document vulnerability > - Document date/time/who you talked to. > - Provide an 'ethical disclosure' reporting deadline > - one to nine months, depending on the vulnerability > - Inform them you will be reporting them to www.cert.org and > www.us-cert.gov > > 2. Report Vulnerability to: > A. www.cert.org : > http://www.cert.org/reporting/vulnerability_form.txt > B. www.us-cert.gov : cert@...t.org > > ---- > Vulnerability is addressed - day upgrade/patch is released > > 1. Disclose to your favorite list/lists > - Disclose your process > - Disclose your due diligence > - communication to/from company > - posting to cert.org and us-cert.gov > - Disclose the vulnerability > > ---- > Vulnerability not addressed - one to nine months > > 1. E-Mail & Call company > - Documentation of vulnerability > - Documentation of your due diligence > - reporting communication to/from company > - reporting to cert.org and us-cert.gov > - Provide date of disclosure > > Day of Disclosure: > > 1. Disclose to your favorite list/lists > - Disclose your process > - Disclose your due diligence > - communication to/from company > - posting to cert.org and us-cert.gov > - Disclose the vulnerability > > > Opinions? > > > > -----Original Message----- > From: Kevin E. Casey [mailto:kcasey@...oweb.com] > Sent: Thursday, May 20, 2004 4:31 PM > To: tommy@...videsecurity.com; frogman@...osecwar.net > Cc: bugtraq@...urityfocus.com; security-basics@...urityfocus.com; > vuln-dev@...urityfocus.com; webappsec@...urityfocus.com > Subject: RE: Question About Ethics and Full Disclosure > > > Try calling the sales department for the shopping cart vendor. Tell > them you hard about the 2 vulnerabilities, thll them that when they are > fixed, you might perhaps buy their product... Sales motivates > development... Or at the least might get you to a person at the vendor > who cares. > > -----Original Message----- > From: Tom [mailto:tommy@...videsecurity.com] > Sent: Thursday, May 20, 2004 3:43 PM > To: frogman@...osecwar.net > Cc: bugtraq@...urityfocus.com; security-basics@...urityfocus.com; > vuln-dev@...urityfocus.com; webappsec@...urityfocus.com > Subject: Question About Ethics and Full Disclosure > > > I have sat on 2 vulnerabilities for a shopping cart for over a year and > nothing has changed. Now I have found a 3rd with new services added to > this shopping cart. > > I have emailed support several times but NEVER get a response. As a > security professional and not to be Unethical what would be a > recommended path to follow? > > * Notify their customers (several 100) > * Notify the Payment Gateways they are Authorized to use (VeriSign, > PayPal, Authorize.NET) > * Be a total A** and just release it to all the mailing lists and at > DEFCON > > BTW...I have sent several emails to various parts of VeriSign and NOBODY > has responded as to the proper person to notify within the organization > about this. I chose VeriSign because this cart is at the Top of Their > List! > > IF anyone knows who to contact from VeriSign, authorize.net and PayPal > about this please email me directly. > > Thanks, > > Tom Ryan -- Slapen is nuttig. Het zorgt er namelijk voor dat je niet meer hoeft te slapen - en aangezien slapen compleet nutteloos is, is slapen dus een nuttige bezigheid.
Powered by blists - more mailing lists