lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: djcapelisp at yahoo.com (D.J. Capelis)
Subject: Gmail Information Disclosure Vulnerability

The notion that this list is only for reporting
bugs in software that isn't in beta is absurd. 
If there's a major vulnerablity in gaim or
firefox I'd expect to hear about them on this
list.  (Both are in beta (firefox is alpha I
think they like to say these days?))  If there is
a large userbase using it that is vulnerable to a
security concern then it should be on this list. 
That's what this list is about, making people
aware and sharing new security vulnerabilities.

So stop shouting that (s)he's losing
"credibility" in the "scene."  In my eyes he
gained a lot by actually classifying his neat
little hack by saying it's got a really low
severity.  (And by finding a small hole in gmail,
there's plenty of people looking and google has
some great coders.)  More "respected" security
firms should take a leaf from his/her book and
learn to mark severity of their discoveries
correctly.

(And really?  The security "scene?"  What is this
too you, a little social teaparty?)

~D.J. Capelis~
Security and Cryptography Researcher

--- System Outage <system_outage@...oo.com>
wrote:
> Gmail service is in Beta. You have no
> credibility posting this advisory. The correct
> channel to post such "bugs" is the Gmail
> contact link for "bug reports". 
>  
> If you weren't a script kiddie or scene whore,
> you would have known to hold information until
> such a time that Gmail became a public service.
>  
> Then and only then would anyone take this
> advisory seriously!
>  
> You obviously have no understanding of the
> "Beta" state of a development. The fact that a
> team of developers are in the state of "Beta"
> means that the developers are fully aware the
> service may not be entirely secure and they
> wish feedback via Google's own beta "bug
> report" channels.
>  
> All in all, this is  a "beta bug report" and
> nothing else. If you had waited until the Gmail
> dev team declared gmail a public release, you
> would have gained more respect in the security
> community scene.
>  
> Cheerio
>  




	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ