lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.43.0211061537330.12024-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: Re: Oracle Security Contact

Many ISP's and some corps now list an abuse@ address in their domain info.
sure would be nice to see vendors also include such security@ contact
addresses in their domain info, rather then make folks hunt and seek such
critical information all over the web.


Thanks,

Ron DuFresne


On Tue, 5 Nov 2002, Steven M. Christey wrote:

>
> On the full-disclosure list, low halo asked:
>
> >Could someone please give me the security contact address for Oracle
> >Corporation?  It seems as though their marketing department's
> >"Unbreakable" slogan makes them think that its OK to bury their
> >security advisories & contact info deep within their site somewhere.
>
> It's not immediately obvious when navigating from the www.oracle.com
> home page, but it's listed at:
> http://otn.oracle.com/deploy/security/alerts.htm
>
>   secalert_us@...cle.com
>
> I found this by doing a site search on "vulnerability," which led me
> to the advisory page.
>
> Very few vendor home pages (open/closed source, freeware or not) seem
> to make it easy to find a security contact, or advisory page, from the
> home page.
>
> Here's a quick look I just did from the home pages of various software
> providers.  Your Mileage May Vary.
>
>
> from www.microsoft.com: click on "Security" in the resources menu,
> click on "more bulletins and patches," go to "contact Microsoft
> security"
>
> from www.redhat.com: there's no "security" link on the front page.
> The "community resources" menu does not mention a security link.  The
> "support & docs" link asks for user registration, but there's an
> "errata" menu on the left hand side.  This gets us to a "security
> alerts" page but I don't see any security POC's there.  There's a
> "Bugzilla" link on the left hand menu, but this leads to the
> bugzilla.redhat.com web site, which requires registration.  The online
> security advisories don't seem to list a security contact.  The
> advisories, when posted to Bugtraq, come from bugzilla@...hat.com and
> not some security-specific email address.  But the advisory does list
> a PGP key at http://www.redhat.com/about/contact/pgpkey.html, which
> suggests that a security@...hat.com address is available.  On this PGP
> key page, there's a "Red Hat Security Resource Center" menu along with
> a "Security Contacts and Procedures" option.  Then I see that this was
> under the "Enterprise Solutions" web page, which could have been found
> from the www.redhat.com home page had I clicked on the "Enterprise
> Solutions" link instead of the "Support & Docs" link.
>
> from www.suse.de: click "security announcements" and the security
> contact is near the top of the page
>
> from www.debian.com: click "security information" which links to the
> "Debian security FAQ" which has a "How can I reach the security team?"
> question which points to security@...ian.org
>
> from www.sun.com: I have two main nagivation options, "solutions" or
> "support & training."  I'll try "solutions" since that would have
> worked for Red Hat.  There's a "security" option under "Consulting
> Services" but that's for, well, their consulting services.  But
> there's a "Related Links" whose first item is "Security" which gets us
> to the main security page, and its first link is for the security
> bulletins, which lists security-alert@....com.
>
> from www.novell.com: I gasp and reluctantly allow the ActiveX control
> to run, although IE isn't telling me which control I'm allowing.  I
> try a text search for "secur" [security, secure] which seems to find
> something, but it's not highlighted in my browser so I can't tell.
> Emboldened by previous "Solutions" successes, I go there first, but
> this time no luck.  The "support" menu doesn't include a security
> sub-item but I click it anyway and find the Novell security alerts
> page, which includes a form I can use to submit bugs.
>
> from www.mandrake.com: I get redirected to www.linux-mandrake.com and
> go to the Security Updates link, which has the
> security@...ux-mandrake.com address.
>
> from www.openbsd.org: I click on the "Security" link and the
> "Reporting problems" section points to deraadt@...nbsd.org
>
> from www.cisco.com: a "secur" search has similar issues that I had
> with www.novell.com (i.e. it's somewhere in the page but I can't find
> it), though it does show up in a "Networking Solutions & Provisioned
> Services" item.  I click on that and get a big Javascript menu with a
> security option (maybe that was one of the search matches?), so I go
> there, but the page is for various security solutions and not a
> security contact.  I use a drop-down menu to go to tech support,
> search for "secur" and get the SNMP advisory.  I notice a "Contact
> PSIRT" reference but for the sake of experimentation I'll pretend I
> don't know what PSIRT means, I'm looking for "security" people.  So I
> go to the SNMP security advisory, which has a "Cisco Security
> Procedures" section, which then gets me to the PSIRT page and the
> security-alert@...co.com / psirt@...co.com addresses.
>
> from www.freebsd.org: click on "Security" and the first section brings
> us to security-officer@...eBSD.org.
>
> from www.hp.com: no matches on "secur".  I try "support and drivers"
> and then "HP technical support."  There's a "security" option under
> software, which brings me to a page that tells me how I can "receive
> security bulletins by email," which isn't quite what I'm looking for
> but close enough.  This tells me I have to go to the "HP IT Resource
> Center" web site, register, then log in... but I'm not really in the
> mood to register right now, I've already got enough web accounts to
> manage.  I just happen to notice a small "security" link on the top of
> the page that hasn't been visited before, so I go there
> (http://www.hp.com/security/index.html).  There are some drop-down
> menus including particular product categories, so I'll just pick
> "hp-ux" software.  This lists various security products but no
> security contacts or promising links.  I try "all hp internet security
> products and technologies" but that gets me back to a page I've
> already seen.  I try the "contact hp" link, which gets me to
> http://thenew.hp.com/country/us/eng/contact_us.html.  The main page
> doesn't immediately grab me, but the left hand menu says "report a
> software security issue" and I click on it.  This points me to
> security-alert@...com.
>
> from www.mozilla.org: see
> http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0095.html
>
> In short, the ease with which security contacts can be found varies
> from site to site, and individual to individual.  There are many
> different "reasonable" paths that somebody might take in finding a
> security contact.
>
> Software providers who wish to simplify vulnerability notification can
> address some of this with prominent links from all of these pages:
>
>  - security pages (both the "solutions" and advisory pages)
>
>  - the advisories themselves
>
>  - tech support
>
>  - the "contact us" page.
>
>
> - Steve
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ