lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200208281556.g7SFuwv28869@mailserver2.hushmail.com>
From: choose.a.lusername at hushmail.com (choose.a.lusername@...hmail.com)
Subject: Re: HP Full Disclosure Story 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven,

I would like to know how you determined this: "with an implied
Grace Period of 0 days"

Since the vendor did not say to publish the results of the challenge publicly on this list, would your policy have not required you to contact him first - in private - before making it public.

In other words, is the default of your policy to make whatever one finds public in the event that "vendors [do not]publish information including what Grace Period" or do not state to not make it public.

Sounds good to me. Seems like that is precisely what everyone is doing and has been doing all this time. And now including you.


Vulnerability Disclosure Policy
- -------------------------------

No compensation or credit is expected for discovery of this
vulnerability.

This vulnerability was released in accordance with the Responsible
Disclosure Process draft.  Section 4.1, vendor policy, suggests that
vendors publish information including what Grace Period the vendor
wishes to observe, if any, before publishing details.

The xxt vendor challenged the public to find a vulnerability that
"would render a root shell when xxt is SUID root," with an implied
Grace Period of 0 days.  Since this vulnerability is less severe than
a root shell in general (at best it allows users to decrypt other
users' files, which only potentially affects root), it is reasonable
to follow the suggested 0 day Grace Period.

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmcEARECACcFAj1s8YIgHGNob29zZS5hLmx1c2VybmFtZUBodXNobWFpbC5jb20ACgkQ
T4xCkuLXILpGnACdFNLmBq2BFaARfC8XrtECvGGd/6EAn01/l5ZMQChM8YcODzYMVTCp
d2Rc
=B9b0
-----END PGP SIGNATURE-----




Get your free encrypted email at https://www.hushmail.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ