[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C1C91D37.92BB%thor@hammerofgod.com>
Date: Tue, 09 Jan 2007 10:21:43 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: SAP Security Contact
On 1/6/07 4:14 PM, "Nicob" <nicob@...ob.net> spoketh to all:
> Le vendredi 05 janvier 2007, Thor (Hammer of God) a écrit :
>
>> Something like security@....com may seem obvious, but it's better if you
>> list specific contact info so it can be easily found.
>
> I don't want to be rude but :
> - security@...ain.tld is the only standardized security contact (as
> defined by RFC 2142)
> - googling security@....com would bring some results
> - this was already answered on the Full-Disclosure mailing list
> - the OSVDB Vendor Dictionary contains a record for SAP
> - even the SecurityFocus site has some references to this email
> address : http://www.securityfocus.com/columnists/415
You're not being rude at all-- that was my point about security@....com
"being somewhat obvious." RFC states the use of a "security" mailbox. But
in the absence of any official reference, you really don't know if it is a
valid contact or not.
The main point was that when someone goes to a vendor's domain and clicks
"contact us" there should be a security reference there. That fact is
evident when you consider that this thread wouldn't exist in the first place
had SAP simply provided that information. A security researcher shouldn't
have to Google various machinations of possible security contact references,
nor should they have to search off-site security portals (and have to trust
the results) to see if a particular email address exists when it is trivial
to stick a link on vendor's "official" page... It's really not that big of
a deal.
t
Powered by blists - more mailing lists