| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100528142956.GH5921@securityfocus.com> Date: Fri, 28 May 2010 08:29:56 -0600 From: dm@...urityfocus.com To: bugtraq@...urityfocus.com Subject: Administrivia: Real domain names in PoC/exploit examples Hey everybody, I just wanted to clarify our policy about accepting posts that contain real domains and websites in proof-of-concept and exploit examples. We don't. If I see this, my normal response is to bounce it back to the poster and ask them to sanitize the example and resend their post. But this causes delays in moderation and occasionally the poster doesn't resend the message, which is unfortunate. You may ask why I don't just sanitize it myself... well it is my policy not to edit posts unless it is at the behest of the poster. To clarify the kind of thing that is not acceptable: - Examples that use the vendor's site (or demo installation) - Examples that use a site where the software is installed - Less obviously, examples that use any real domain (target.com is an example that someone kindly pointed out) And this is the sort of thing that would be appropriate: - www.example.com (this is really the best way to go) - Some other place-holder that is not a valid domain such as <victim>, etc. Thanks! -- Dave McKinney Symantec keyID: E461AE4E key fingerprint = F1FC 9073 09FA F0C7 500D D7EB E985 FAF3 E461 AE4E
Powered by blists - more mailing lists