lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Hotmail & Passport (.NET Accounts)

"adf--at--Code511.com" <adf@...e511.com> replied to Darren Reeed's 
reply:

>  >> Is it me or ms never credit vulnerabilities according to
> >> http://www.microsoft.com/security/passport_issue.asp  "a report was
> >> published detailing a security vulnerability(...)"? No more details or
> >> credit.
> > 
> > And they should because...?  If you ask me, doing this for "fame and
> > fortune" is really against what i would call traditional hacker ethic.
> That was just a simple question. AFAIK they DO for some vunerabilities: do
> you remember IIS issue (MS99-047) discovered by eeye years ago? Well the
> Acknowledgments display credit. Same for most of the latest security bultins
> as displayed http://www.microsoft.com/technet/security/: MS03-015 etc...
> 
> The question is not fame or whatever you call it, just a question about
> selective Acknowledgments from ms.

Whether you like it or not, MS has a policy governing acknowledgement 
of vulnerability discoverers/reporters:

   http://www.microsoft.com/technet/security/bulletin/policy.asp

Admittedly that is titled "Acknowledgment Policy for Microsoft 
Security Bulletins" and the page you ask about is not a security 
bulletin, but don't you think it likely or reasonable that MS may 
apply the same acknowledgement standards to ad hoc security 
announcements as it does to its official security bulletins?

As it seems that nothing close to Microsoft's expected standard of
cooperation between discoverer and its security teams occurred in
this case, it should not be surprising that MS did not put the
discoverer(s) on the acknowledgement pedestal.  MS does not (for
easily understood reasons) want to encourage the non-observance of
its preferred vulnerability reporting, resolution and release
procedures by acknowledging people who hijack or derail that
process, regardless of the motivations for that action.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists