lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3D591CF3.6000901@guninski.com>
From: guninski at guninski.com (Georgi Guninski)
Subject: Re: The Large-Scale Threat of Bad Data in DNS

FORENSICS.ORG Security Coordinator wrote:
> On a related subject, everyone involved in the process of computer security
> vulnerability discovery, disclosure, and software bug fixes should take a
> moment to familiarize themselves with the internet draft of the Responsible
> Vulnerability Disclosure Process, and in particular note the important role
> of a third-party "coordinator" in cases where any party involved in the
> process needs help communicating with any other party to ensure proper
> handling and comprehensive understanding of complex technical materials:
> 
> http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-0
> 0.txt
> 
> Most vulnerability disclosures occur today without comprehensive
> cross-vendor research facilitated by a coordinator. Our group of forensic
> experts makes its members available to function as Security Coordinators to
> any party who needs this type of technical assistance.
> 

I am getting tired with speculations about this draft which the IETF did not 
approve.
So in the case with DNS browser fun, Microsoft denied this to be a problem, so 
some good coordinator should try to convince them that this is really a bug and 
they should be so kind to fix it, or am I missing something?
Or is the idea the coordinator to sell the info early?

What about the following: me becoming the personal coordinator of forensics.org 
(without any obligations on my part, of course), i.e. whenever forencics.org 
becomes aware of a 0day, they notify me about the 0day with full details?

In case you have missed it, some people quite disagree with the draft, check:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html

Georgi Guninski
http://www.guninski.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ