lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.33.0208252024330.131-100000@abacus.xcorps.net>
From: jonathan at xcorps.net (Jonathan Rickman)
Subject: Re: [VulnDiscuss] HP Full Disclosure Story

On Fri, 23 Aug 2002, Kevin Spett wrote:

> I think it'd be great if people made a habit of posting researcher-vendor
> communications like this.  They say a lot about a company's attitude and
> policy regarding security and can help sysadmins, developers, security
> professionals, etc. decide whether they would want to buy from them.  This
> would be a good way for vendors to show the community that they react to
> reports of vulnerabilities in a responsible, communicative and friendly
> manner.  It would also be a good way to expose vendors such as HP who fail
> miserably to do so.

I think it is also very important to keep all parts of the conversation
intact. There is a significant portion of this particular conversation
that was not included, which I suspect, sent the conversation on the
downward spiral. No offense to Tamer, but this strikes me as a case of a
researcher who insisted on setting HP's rules for them "on the fly" as it
were. HP has a policy in place. Flawed or not, they have to work within
the confines of that policy. They were fairly candid with you...and I
quote:

"Let me be very candid here, you are not the first to assume
that a $50 billion corporation will drop all the other security
issues we are working on in order to work on yours because
you threaten to publish. It has never changed the course of
our work internally; we will continue to work on the issue
until it is tested and finished."

Honestly, that sounds pretty reasonable to me, considering that we do not
have the privilege of reading the communication from you. For all we know,
your email to them, consisted of "ph33r m3 HP, eye will dr0p dis 0day b0mb
on yo @z in 10 minutes if joo do not r3zpect my skillz!!!" Once again,
Tamer, no offense intended, but that part of the conversation does seem to
be critical, since that's where things turned south. As for their
September 11th remarks, I consider that pretty tasteless and cliche, and I
seriously doubt that that is the "Company Line", but rather the work of
one individual who has not learned to toe that "Company Line" quite right.

Another possibility is that the folks at HP were slow to pick up on the
fact that English is obviously not your first language, and ask for
further clarification. Sometimes that is a source of confusion, even
when dealing with someone who writes fairly well, such as yourself.

I think Dan at HP summed the whole thing up best when he said,
"We did reply, and you are making the assumption that your
issue is the only one we have to work on, and that it is
the most important."

I suspect that he hit the proverbial nail right on the head with that one.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ