| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Jun 2004 12:59:53 -0400 From: "Syste Op" <sysop5@...mail.com> To: jsklein@...dspring.com Cc: bugtraq@...urityfocus.com, security-basics@...urityfocus.com, vuln-dev@...urityfocus.com, webappsec@...urityfocus.com Subject: RE: Question About Ethics and Full Disclosure That's a good way of doing it. I think it would be better to shorten the period of time from 1-9 months to 1-5. When you're reporting a vulnerability, you should try and report the fix for it too. In my opinion, exploit code should be posted a few weeks after the vulnerability has been reported to ensure that the company works on a fix. -OptiKal Mouse >From: "Joe Klein" <jsklein@...dspring.com> >Reply-To: <jsklein@...dspring.com> >To: "'Kevin E. Casey'" <kcasey@...oweb.com>,<tommy@...videsecurity.com>, ><frogman@...osecwar.net> >CC: <bugtraq@...urityfocus.com>, ><security-basics@...urityfocus.com>,<vuln-dev@...urityfocus.com>, ><webappsec@...urityfocus.com> >Subject: RE: Question About Ethics and Full Disclosure >Date: Wed, 9 Jun 2004 08:11:48 -0500 >MIME-Version: 1.0 >Received: from outgoing2.securityfocus.com ([205.206.231.26]) by >mc6-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 9 Jun 2004 >17:14:24 -0700 >Received: from lists2.securityfocus.com (lists2.securityfocus.com >[205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid >60A49143AF0; Wed, 9 Jun 2004 20:17:34 -0600 (MDT) >Received: (qmail 25671 invoked from network); 9 Jun 2004 07:00:52 -0000 >X-Message-Info: JGTYoYF78jGL48EpGnia7jun7YIUh0SR >Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@...urityfocus.com> >List-Help: <mailto:bugtraq-help@...urityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com> >Delivered-To: mailing list bugtraq@...urityfocus.com >Delivered-To: moderator for bugtraq@...urityfocus.com >Message-ID: <003f01c44e23$53e36590$6401a8c0@...ifly> >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook, Build 10.0.2627 >In-Reply-To: ><96B5E0E83D6A07428B6CDB8775AB9FBA277007@...ain01.nanonaples.com> >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 >Return-Path: bugtraq-return-14677-sysop5=hotmail.com@...urityfocus.com >X-OriginalArrivalTime: 10 Jun 2004 00:14:24.0217 (UTC) >FILETIME=[E290CC90:01C44E7F] > >Below is an outline for my disclosure process. > > >Vulnerability Found: > >1. E-Mail & Call company about finding > - Document vulnerability > - Document date/time/who you talked to. > - Provide an 'ethical disclosure' reporting deadline > - one to nine months, depending on the vulnerability > - Inform them you will be reporting them to www.cert.org and >www.us-cert.gov > >2. Report Vulnerability to: > A. www.cert.org : >http://www.cert.org/reporting/vulnerability_form.txt > B. www.us-cert.gov : cert@...t.org > >---- >Vulnerability is addressed - day upgrade/patch is released > >1. Disclose to your favorite list/lists > - Disclose your process > - Disclose your due diligence > - communication to/from company > - posting to cert.org and us-cert.gov > - Disclose the vulnerability > >---- >Vulnerability not addressed - one to nine months > >1. E-Mail & Call company > - Documentation of vulnerability > - Documentation of your due diligence > - reporting communication to/from company > - reporting to cert.org and us-cert.gov > - Provide date of disclosure > >Day of Disclosure: > >1. Disclose to your favorite list/lists > - Disclose your process > - Disclose your due diligence > - communication to/from company > - posting to cert.org and us-cert.gov > - Disclose the vulnerability > > >Opinions? > > > >-----Original Message----- >From: Kevin E. Casey [mailto:kcasey@...oweb.com] >Sent: Thursday, May 20, 2004 4:31 PM >To: tommy@...videsecurity.com; frogman@...osecwar.net >Cc: bugtraq@...urityfocus.com; security-basics@...urityfocus.com; >vuln-dev@...urityfocus.com; webappsec@...urityfocus.com >Subject: RE: Question About Ethics and Full Disclosure > > >Try calling the sales department for the shopping cart vendor. Tell >them you hard about the 2 vulnerabilities, thll them that when they are >fixed, you might perhaps buy their product... Sales motivates >development... Or at the least might get you to a person at the vendor >who cares. > >-----Original Message----- >From: Tom [mailto:tommy@...videsecurity.com] >Sent: Thursday, May 20, 2004 3:43 PM >To: frogman@...osecwar.net >Cc: bugtraq@...urityfocus.com; security-basics@...urityfocus.com; >vuln-dev@...urityfocus.com; webappsec@...urityfocus.com >Subject: Question About Ethics and Full Disclosure > > >I have sat on 2 vulnerabilities for a shopping cart for over a year and >nothing has changed. Now I have found a 3rd with new services added to >this shopping cart. > >I have emailed support several times but NEVER get a response. As a >security professional and not to be Unethical what would be a >recommended path to follow? > >* Notify their customers (several 100) >* Notify the Payment Gateways they are Authorized to use (VeriSign, >PayPal, Authorize.NET) >* Be a total A** and just release it to all the mailing lists and at >DEFCON > >BTW...I have sent several emails to various parts of VeriSign and NOBODY >has responded as to the proper person to notify within the organization >about this. I chose VeriSign because this cart is at the Top of Their >List! > >IF anyone knows who to contact from VeriSign, authorize.net and PayPal >about this please email me directly. > >Thanks, > >Tom Ryan ><< JosephSKlein(jsklein@...dspring.com)(jsklein@...dspring.com).vcf >> _________________________________________________________________ Get fast, reliable Internet access with MSN 9 Dial-up – now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/
Powered by blists - more mailing lists