| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: fulldisc at ultratux.org (Maarten) Subject: Gmail Information Disclosure Vulnerability On Monday 05 July 2004 19:42, Eric LeBlanc wrote: > On Mon, 5 Jul 2004, System Outage wrote: > I agree with "System Outage". Gmail clearly told us that their website is > in BETA stage. Beta, alpha, released, yada yada. Gmail is OPEN for the public, albeit you need "an invitation". Thus, enough reason to disclose security holes. > For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that > this software MAY HAVE security holes. That's why they want us to test > this site before going to the public release, and it's our job to notify > to the gmail team all bugs AND security holes we may find. As long as > this website is in beta stage, all advisory that someone may send in this > list or elsewhere are NOT considered 'Security Advisory' for me. Hm. By that standard, we could not ever disclose stuff about microsoft software. Cause their stuff is indefinitely beta, hahaha. ;-) > The original author may not receive answers from the Gmail Team, but this > site is NOT IN PRODUCTION. When gmail site will be official and when this > bug is still there, NOW you can publish your security advisory. So, the solution to having embarrassing security problems published is never declare the program "Released". Can someone please tell microsoft? They'd be real interested to declare IE and Outlook beta-software forever in that case. > Futhermore, the best people for testing the software (bugs and security > holes) is the public. They can do many things which we will never > thought or imagined. Well now, isn't this e x a c t l y what's happening here ? > BTW, I'm sure that the Gmail developers expect that the public will find > some security holes... > > If we must publish all security advisorys about beta software, this list > will be flooded... The very reason to HAVE a beta test phase is to find and flush out bugs early. Doing that, the released program can be as flawless as can be. So when would you suggest disclosing bugs is a good time ? Release date being too late... Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER
Powered by blists - more mailing lists