[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0HEN001QQHJUED@smtp2.clear.net.nz>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Hotmail & Passport (.NET Accounts)
"adf--at--Code511.com" <adf@...e511.com> replied to Darren Reeed's
reply:
> >> Is it me or ms never credit vulnerabilities according to
> >> http://www.microsoft.com/security/passport_issue.asp "a report was
> >> published detailing a security vulnerability(...)"? No more details or
> >> credit.
> >
> > And they should because...? If you ask me, doing this for "fame and
> > fortune" is really against what i would call traditional hacker ethic.
> That was just a simple question. AFAIK they DO for some vunerabilities: do
> you remember IIS issue (MS99-047) discovered by eeye years ago? Well the
> Acknowledgments display credit. Same for most of the latest security bultins
> as displayed http://www.microsoft.com/technet/security/: MS03-015 etc...
>
> The question is not fame or whatever you call it, just a question about
> selective Acknowledgments from ms.
Whether you like it or not, MS has a policy governing acknowledgement
of vulnerability discoverers/reporters:
http://www.microsoft.com/technet/security/bulletin/policy.asp
Admittedly that is titled "Acknowledgment Policy for Microsoft
Security Bulletins" and the page you ask about is not a security
bulletin, but don't you think it likely or reasonable that MS may
apply the same acknowledgement standards to ad hoc security
announcements as it does to its official security bulletins?
As it seems that nothing close to Microsoft's expected standard of
cooperation between discoverer and its security teams occurred in
this case, it should not be surprising that MS did not put the
discoverer(s) on the acknowledgement pedestal. MS does not (for
easily understood reasons) want to encourage the non-observance of
its preferred vulnerability reporting, resolution and release
procedures by acknowledging people who hijack or derail that
process, regardless of the motivations for that action.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists