| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jonathan at xcorps.net (Jonathan Rickman) Subject: Re: [VulnDiscuss] HP Full Disclosure Story On Fri, 23 Aug 2002, Kevin Spett wrote: > I think it'd be great if people made a habit of posting researcher-vendor > communications like this. They say a lot about a company's attitude and > policy regarding security and can help sysadmins, developers, security > professionals, etc. decide whether they would want to buy from them. This > would be a good way for vendors to show the community that they react to > reports of vulnerabilities in a responsible, communicative and friendly > manner. It would also be a good way to expose vendors such as HP who fail > miserably to do so. I think it is also very important to keep all parts of the conversation intact. There is a significant portion of this particular conversation that was not included, which I suspect, sent the conversation on the downward spiral. No offense to Tamer, but this strikes me as a case of a researcher who insisted on setting HP's rules for them "on the fly" as it were. HP has a policy in place. Flawed or not, they have to work within the confines of that policy. They were fairly candid with you...and I quote: "Let me be very candid here, you are not the first to assume that a $50 billion corporation will drop all the other security issues we are working on in order to work on yours because you threaten to publish. It has never changed the course of our work internally; we will continue to work on the issue until it is tested and finished." Honestly, that sounds pretty reasonable to me, considering that we do not have the privilege of reading the communication from you. For all we know, your email to them, consisted of "ph33r m3 HP, eye will dr0p dis 0day b0mb on yo @z in 10 minutes if joo do not r3zpect my skillz!!!" Once again, Tamer, no offense intended, but that part of the conversation does seem to be critical, since that's where things turned south. As for their September 11th remarks, I consider that pretty tasteless and cliche, and I seriously doubt that that is the "Company Line", but rather the work of one individual who has not learned to toe that "Company Line" quite right. Another possibility is that the folks at HP were slow to pick up on the fact that English is obviously not your first language, and ask for further clarification. Sometimes that is a source of confusion, even when dealing with someone who writes fairly well, such as yourself. I think Dan at HP summed the whole thing up best when he said, "We did reply, and you are making the assumption that your issue is the only one we have to work on, and that it is the most important." I suspect that he hit the proverbial nail right on the head with that one. -- Jonathan Rickman X Corps Security http://www.xcorps.net
Powered by blists - more mailing lists