lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALyUobd53e0i4KvvYnhNccuwDYxfjH6m6oONnwwaUmfTNUUbjw@mail.gmail.com>
Date: Sun, 18 Mar 2012 21:27:16 +0000
From: upsploit advisories <upsploitadvisories@...ploit.com>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Fw: Earth to Facebook

We don't just send the initial advisory... I guess I need to make the
website slightly more informative!

After the initial contact we have (currently) a 6 month disclosure policy.

We send an email every month, in the final month once a week and in the
final week once a day. This email is automatically generated and includes
information about how long is left, how many emails we have sent etc.

Please note that the 6 months is being changed to 1 month without contact 3
month fix (case by case) in the near future.

Thanks

On 18 March 2012 21:24, Thor (Hammer of God) <thor@...merofgod.com> wrote:

>  Why not just provide them with the contact and they can forward it on
> directly?  Then you could obviate the entire trust issue…****
>
> ** **
>
> t****
>
> ** **
>
> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *upsploit
> advisories
> *Sent:* Sunday, March 18, 2012 1:56 PM
> *To:* Michal Zalewski
> *Cc:* full-disclosure@...ts.grok.org.uk
>
> *Subject:* Re: [Full-disclosure] Fw: Earth to Facebook****
>
>  ** **
>
> The only other people that see the vulnerability are the select few in
> upSploit.****
>
> ** **
>
> However if the vendor is already in the upSploit database the advisory
> gets submitted straight away to the vendor.****
>
> ** **
>
> If you want to try it out there should be an upSploit vendor in the vendor
> list. Submit some advisories there.****
>
> ** **
>
> There is no ploy - like anything it is about trust. I created the service
> because when I first started I found it hard to find contacts sometimes.
> Use it if you want, don't if you don't. Simple as that really!****
>
> ** **
>
> Use it once for something you may not care about to much and see how it
> works for you.****
>
> ** **
>
> Thanks,****
>
> ** **
>
> On 18 March 2012 20:22, Michal Zalewski <lcamtuf@...edump.cx> wrote:****
>
> > Without meaning to advertise, that is one of the reasons upSploit was
> > created - so that you could submit a vulnerability and then upSploit
> > automatically sends to the vendor. This way you and your friend don't
> have
> > to do any of the work on the disclosure.****
>
> I clicked around and don't see any obvious explanation; other than the
> reporter and the vendor, who else gets to see the submissions and
> under what circumstances?
>
> /mz****
>
> ** **
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ