lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41AAEAC8.8050401@home.se>
Date: Mon, 29 Nov 2004 10:24:24 +0100
From: exon <exon@...e.se>
Cc: full-disclosure@...ts.netsys.com, vuln-dev@...urityfocus.com,
   bugtraq@...urityfocus.com
Subject: Re: FIREFOX flaws: nested array sort() loop Stack
 overflow exception


Jose Nazario wrote:
> On Thu, 25 Nov 2004, Heikki Toivonen wrote:
> 
> 
>>3. Either login if you already have an account, or click "create new
>>account". Let's assume we need to create a new account...
>>4. Type in a valid email address and click "Create Account"
>>5. [mail] Read email that was sent to the address to get password
>>6. back on in the browser, click "log in here"
>>7. fill in your username and password and click "login"
> 
> 
> [snip the rest of useful info on how to post good, healthy, actionable bug
> reports]
> 
> requiring someone to register to post a bug is harmful in the sense that
> you wind up turning off peopl ewho simply can't be bothered to fill out
> that info or wish to remain anonymous.


Hence the security@...illa.org address.

If you are anxious to get the bug fixed you have the option of filling 
out the form and thereby making yourself available for further 
questions, getting email with bug updates and the ability to submit 
coredumps and whatnot.

If you're not so anxious you can simply send in an email and be content 
with having let them know about it. Firefox still has the benefit of 
running on a multitude of platforms and architectures. Someone trying to 
exploit a vulnerability in it (as opposed to just crashing it) would 
have to know both to be successful.

> while i definitely see the benefit
> of forcing registration or even wanting it, i bet you'e losing more bug
> reports than you care to imagine this way.
> 

Perhaps the problem lies in the fact that the mozilla coders want people 
to use the forum so they don't promote the security@...illa.org mail 
address enough?

> benefits of forcing/encouraging registration include:
> 	- garaunteed line of followup
> 	- reduced spam quantities in bugzilla
> 	- at leasta cutofof "i care enough to ..."
> 
> still, you're losing more than you may expect. i know i've failed to file
> bug reports (non-security related) for mozilla products due to this "speed
> bump". the security@ route is useful, and i'm glad you pointed it out.
> this point should be considered by anyone who runs a bug reporting page
> for open submissions, you may be doing more harm than benefit.
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ