Re: [Full-disclosure] Vulnerabilities Hashes DB needed



Hi,

On Sun, May 06, 2007 at 05:45:45PM +0200, shadown wrote:
2- There are some vendors that are really dificult to deal with. It took me
about 4 months to get the right contact to report the bugs, and this would
be another think to think about, A public 'Vendor's Vulnerability Reporting
Contact DB/List'.
That would definitely be helpful, the situation sounds familiar ...

The main mailling list should create a 'Vulnerabilities Hashes mailing list'
where the researches comunity can send the hashes of the PoC files just
before they conctact the vendors. That way if the vendors do not give the
proper credits to the researchers, at least the researches will have another
proof to show that they were the ones that reported the vulnerabilities, and
not just the mails they've crossed with the vendors.
You should have a look at the (free) PGP Digital Timestamping Service
at http://www.itconsult.co.uk/stamper/stampinf.htm. No need to reinvent
the wheel there, it's been alive for about 12 years now and will
timestamp and PGP sign anything you send it, including hashes.

HTH,
Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Three formats for one report
    ... I will only be running the report about once a month, ... The source query looks at expiration dates on certificates and other ... and contains messages to several vendors. ... a Supply vendor the appropriate survey subreport needs to be part of the ...
    (microsoft.public.access.reports)
  • Re: 80% spend from a total
    ... Let's use this query as the RecordSource of the report (I'm going to use ... Click on textbox bound to PctVendor. ... This report now will order the vendors in descending order for spending ...
    (microsoft.public.access.queries)
  • Re: 80% spend from a total
    ... "Ken Snell MVP" wrote: ... Let's use this query as the RecordSource of the report (I'm going to use ... This report now will order the vendors in descending order for spending ...
    (microsoft.public.access.queries)
  • Re: Proper procedure for reporting possible security vulnerabilities?
    ... > and so vendors know too and can plan appropriately. ... The purpose of this text is to give information on how to report security ... document in the root of the kernel source. ... Send your bugreport to the maintainer of the code affected. ...
    (Linux-Kernel)
  • Re: Reporting a new malware sample
    ... | How can I report a new malware-infected file without having to trawl ... Total will provide the sample to all participating vendors. ... When you get the report, please post back the exact results. ... Panda 9.0.0.4 2008.10.07 Generic Trojan ...
    (alt.comp.anti-virus)