lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <17225058251.20020825235430@securityoffice.net>
From: ts at securityoffice.net (Tamer Sahin)
Subject: HP Full Disclosure Story

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

Like Steve have told, I can't expect that I'm responsible from a person who doesn't know anything about me.
At this point, the thing that should not be forgotten is the approach to HP. I behaved in an understanding
way and wanted to publish this vulnerability without any harm to anyone, but what have they done? They
threatened me with likely the terrorist activity happened on September 11th.

I do respect to Steve's thoughts, but I cannot know whether Steve thinks as the same way in HP, can I? He
is a foreigner for me too, and his work for "Mitre" doesn't make him impartial.

Also another thing that shouldn't be missed is that "Dan Grove" (HP Security Response Team Chief) works
for "FIRST". Shouldn't a person who works in an organization like FIRST having more common sense.

Before I publish any vulnerabilities I send it to the related company, but things don't happen like the
way you wanted them to, usually. I'd like to mention the replies I had below...

- - I don't get any response from the company.

- - They response the mails but no solutions suggested. (for example: in our xxx version this problem will
be solved. But no release date for that version.)

- - They reply with misleading mails that the vulnerability can happen theoretic or no vulnerabilities, for
not to publish the security anouncement.

- - They threaten... (Like HP)

Of course I want to give the solution or the patch about the vulnerability in every security anouncement.
And I try to announce if there is any solution provided or a patch released by the company to bugtraq or
vulnwatch. But I think some of the companies doesn't deserve more than this in a subject so critical like
"security", without changing their approach.

Best Regards;

Tamer Sahin
http://www.securityoffice.net

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBPWlEB/pL5ibJRTtBAQHJ0Qf7Bt5qwGMh6UXQrugxxUKf7RFTV4g2pLP3
QcJng7Q3t+ML4/IdnpiQ990DWy0fh+1wGI6ki01jdCBfYTnxxwMhM4QNcPRi0g6g
rhw9YaPX8TakDCL0BJeyuF6WX6Ig683CtxBlgDWozk5UCAqJ+cXYLd3D+cWFHoQA
5yyWVPPwhQZM5RKSVBieByCfMEq6bhgBdP96mDX28Gfk7nsSXiUWlYVZ8tw41+ZW
oGfq5GMIKhsBa1Zjq+vpyek60RKx2bMx+x5pwFAseV5cxYlvKAAk0GthW9RmaYn3
QTJsNu5p9TM0Ge+4tvn0dgwGWRSwZDph2jKXtCqcERRt14BQMYSzDQ==
=XAXw
-----END PGP SIGNATURE-----




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ