lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 24 Jan 2010 21:56:26 +0100
From: Pastor Kornell <pastor.kornell@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Cc: jamesbirk@...il.com
Subject: Re: FortiGuard Advisory: Microsoft Internet
	Explorer Remote Memory Corruption Vulnerability

James Birk <jamesbirk@...il.com> wrote:
> Good to see nothing's changed with Bugtraq in fifteen years.  Anyone want
> to point me to a security list where ads like the one below are not
> allowed?
>

James has a fair point. The advisory could be talking about 9 out of
any 10 Internet Explorer bugs, it was completely generic. No poc, no
analysis, no exploit. Haifei does not tell me anything I did not know
already from MSFT (not much).

I do not care if you want to tag on a listing for your business or
product with the presentation of your work, but it better be a useful
contribution and not an infomercial. it doesn't matter if you do not
have an exploit, but you have to explain the bug with some debugger /
dissasembler / output data and analysis so that we can understand or
assess whether it is realistically exploitable. If you do not show us
even one test case, then we can not test the fix or verify it is fixed
correctly and not just a band-aid around the problem. Learning about
the bug also lets us track trends and do other useful work.

As a useful guide, count how many lines in your mail are advertisement
and how many are advisory - if there are more lines talking about
"FortiGate, FortiMail, FortiShamWow and DietForti" than there are
about the bug, you're doing it wrong.

For now, everyone would have been better off bindiffing just the patch
rather than read your emails. Please fix this in future.

PK

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ