lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.BSO.4.58.0411261440380.17159@naughty.monkey.org> Date: Fri, 26 Nov 2004 14:45:22 -0500 (EST) From: Jose Nazario <jose@...key.org> To: Heikki Toivonen <heikki@...foundation.org> Cc: full-disclosure@...ts.netsys.com, vuln-dev@...urityfocus.com, bugtraq@...urityfocus.com Subject: Re: FIREFOX flaws: nested array sort() loop Stack overflow exception On Thu, 25 Nov 2004, Heikki Toivonen wrote: > 3. Either login if you already have an account, or click "create new > account". Let's assume we need to create a new account... > 4. Type in a valid email address and click "Create Account" > 5. [mail] Read email that was sent to the address to get password > 6. back on in the browser, click "log in here" > 7. fill in your username and password and click "login" [snip the rest of useful info on how to post good, healthy, actionable bug reports] requiring someone to register to post a bug is harmful in the sense that you wind up turning off peopl ewho simply can't be bothered to fill out that info or wish to remain anonymous. while i definitely see the benefit of forcing registration or even wanting it, i bet you'e losing more bug reports than you care to imagine this way. benefits of forcing/encouraging registration include: - garaunteed line of followup - reduced spam quantities in bugzilla - at leasta cutofof "i care enough to ..." still, you're losing more than you may expect. i know i've failed to file bug reports (non-security related) for mozilla products due to this "speed bump". the security@ route is useful, and i'm glad you pointed it out. this point should be considered by anyone who runs a bug reporting page for open submissions, you may be doing more harm than benefit. ________ jose nazario, ph.d. jose@...key.org http://monkey.org/~jose/ http://infosecdaily.net/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists