lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200704251854.l3PIsnTk022522@faron.mitre.org>
Date: Wed, 25 Apr 2007 14:54:49 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: 3Com's TippingPoint Denial of Service


Simple Nomad said:

>A series of evil packets will cause me to have remote root access to
>Windows, Linux, and MacOS/X. Due to the nature of the vulnerability, I
>will not be releasing any details. In fact, it is so secret even *I*
>don't know the details, but I am *positive* that when I see someone
>else post my work, I should get full credit, right?

Great point.

Seriously, though - this is becoming a big problem on these lists.  If
you don't post details, *and* you don't coordinate with the vendor,
then you have provided ZERO actionable information, not to mention
causing confusion when some details do come out in later disclosures -
is it the same issue or not?  Are customers protected or not?

It's not just disclosures by unknown parties, either - some great
examples of this are the GLEG and Immunity pay-to-play disclosures
that don't include any vendor notification.  For example, a GLEG
proFTPd report caused no end of havoc for all parties concerned,
including the Linux distros themselves, although at least there was a
back-reference to make the connection, which is still pretty rare for
a vendor.  And there's also some difficulty in handling disclosures
with a grace period in products whose vendors do not provide credits,
as happens with NGS Software sometimes.

Lately, CVE has started taking the approach that if there's no
actionable information, *and* the researcher is not known to be
reliable, then the reports amount to little more than rumors until
proven otherwise.  We assume (perhaps mistakenly) that reliable
researchers have done their homework and are reporting new issues.
Vulnerability information is noisy enough as it is without adding
vague, unactionable claims into the mix.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ