lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C110C9D.1050709@pacbell.net>
Date: Thu, 10 Jun 2010 09:02:37 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: Tavis Ormandy <taviso@...xchg8b.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences
 Incorrectly

I'm not asking about disclosure.  I'm asking what happened to the level 
of communication between you and MSRC that after 4 days you posted this?

Tavis Ormandy wrote:
> Susan, I wish I had the time to hold your hand through getting up to
> speed on the disclosure debate. Instead, I would suggest starting with
> the links in my advisory which were intended to give you enough
> background to understand the issues involved (skip to the Notes section,
> if you like).
>
> As I cannot hope to speak as eloquently on the topic as Bruce, I will
> not attempt to repeat them for you here.
>
> If after researching the topic you still have questions, please let me
> know.
>
> Thanks, Tavis.
>
> On Thu, Jun 10, 2010 at 08:36:09AM -0700, Susan Bradley wrote:
>   
>> I'm not an enterprise customer, but I am a mouthy female. So here's my 
>> question back to you, for my education, how exactly did MSRC contact you 
>> back? 
>>
>> Since June 5th have you tried emailing back or any of your contacts from 
>> past interactions and asked what was up?  I'm disappointed in this lack 
>> of communication I see on both sides.  You are ...well... Tavis 
>> Ormandy... I seriously doubt MSRC is blowing you off here.
>>
>> Keep in mind we just had a LARGE patch week to deal with.  I don't know 
>> what was going on on their side, nor making excuses as I don't know what 
>> communication you've had in the past and had on this issue ... I'm just 
>> saying I would have spent a little more time getting mad at them and 
>> sent a lot more emails back to them before posting this.
>>
>> (And try dealing with Microsoft licensing sometime if you think security 
>> communication is lacking)
>>
>>     
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ