lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.BSO.4.58.0411261440380.17159@naughty.monkey.org>
Date: Fri, 26 Nov 2004 14:45:22 -0500 (EST)
From: Jose Nazario <jose@...key.org>
To: Heikki Toivonen <heikki@...foundation.org>
Cc: full-disclosure@...ts.netsys.com, vuln-dev@...urityfocus.com,
   bugtraq@...urityfocus.com
Subject: Re: FIREFOX flaws: nested array sort() loop Stack
 overflow exception


On Thu, 25 Nov 2004, Heikki Toivonen wrote:

> 3. Either login if you already have an account, or click "create new
> account". Let's assume we need to create a new account...
> 4. Type in a valid email address and click "Create Account"
> 5. [mail] Read email that was sent to the address to get password
> 6. back on in the browser, click "log in here"
> 7. fill in your username and password and click "login"

[snip the rest of useful info on how to post good, healthy, actionable bug
reports]

requiring someone to register to post a bug is harmful in the sense that
you wind up turning off peopl ewho simply can't be bothered to fill out
that info or wish to remain anonymous. while i definitely see the benefit
of forcing registration or even wanting it, i bet you'e losing more bug
reports than you care to imagine this way.

benefits of forcing/encouraging registration include:
	- garaunteed line of followup
	- reduced spam quantities in bugzilla
	- at leasta cutofof "i care enough to ..."

still, you're losing more than you may expect. i know i've failed to file
bug reports (non-security related) for mozilla products due to this "speed
bump". the security@ route is useful, and i'm glad you pointed it out.
this point should be considered by anyone who runs a bug reporting page
for open submissions, you may be doing more harm than benefit.

________
jose nazario, ph.d.			jose@...key.org
http://monkey.org/~jose/ 		http://infosecdaily.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ