lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 09 Jan 2007 10:21:43 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: SAP Security Contact


On 1/6/07 4:14 PM, "Nicob" <nicob@...ob.net> spoketh to all:

> Le vendredi 05 janvier 2007, Thor (Hammer of God) a écrit :
> 
>> Something like security@....com may seem obvious, but it's better if you
>> list specific contact info so it can be easily found.
> 
> I don't want to be rude but :
> - security@...ain.tld is the only standardized security contact (as
> defined by RFC 2142)
> - googling security@....com would bring some results
> - this was already answered on the Full-Disclosure mailing list
> - the OSVDB Vendor Dictionary contains a record for SAP
> - even the SecurityFocus site has some references to this email
> address : http://www.securityfocus.com/columnists/415

You're not being rude at all-- that was my point about security@....com
"being somewhat obvious." RFC states the use of a "security" mailbox.  But
in the absence of any official reference, you really don't know if it is a
valid contact or not.

The main point was that when someone goes to a vendor's domain and clicks
"contact us" there should be a security reference there.  That fact is
evident when you consider that this thread wouldn't exist in the first place
had SAP simply provided that information.  A security researcher shouldn't
have to Google various machinations of possible security contact references,
nor should they have to search off-site security portals (and have to trust
the results) to see if a particular email address exists when it is trivial
to stick a link on vendor's "official" page...  It's really not that big of
a deal.

t


Powered by blists - more mailing lists