Re: [Full-disclosure] Fw: Earth to Facebook



We don't just send the initial advisory... I guess I need to make the
website slightly more informative!

After the initial contact we have (currently) a 6 month disclosure policy.

We send an email every month, in the final month once a week and in the
final week once a day. This email is automatically generated and includes
information about how long is left, how many emails we have sent etc.

Please note that the 6 months is being changed to 1 month without contact 3
month fix (case by case) in the near future.

Thanks

On 18 March 2012 21:24, Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx> wrote:

Why not just provide them with the contact and they can forward it on
directly? Then you could obviate the entire trust issue…****

** **

t****

** **

*From:* full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:
full-disclosure-bounces@xxxxxxxxxxxxxxxxx] *On Behalf Of *upsploit
advisories
*Sent:* Sunday, March 18, 2012 1:56 PM
*To:* Michal Zalewski
*Cc:* full-disclosure@xxxxxxxxxxxxxxxxx

*Subject:* Re: [Full-disclosure] Fw: Earth to Facebook****

** **

The only other people that see the vulnerability are the select few in
upSploit.****

** **

However if the vendor is already in the upSploit database the advisory
gets submitted straight away to the vendor.****

** **

If you want to try it out there should be an upSploit vendor in the vendor
list. Submit some advisories there.****

** **

There is no ploy - like anything it is about trust. I created the service
because when I first started I found it hard to find contacts sometimes.
Use it if you want, don't if you don't. Simple as that really!****

** **

Use it once for something you may not care about to much and see how it
works for you.****

** **

Thanks,****

** **

On 18 March 2012 20:22, Michal Zalewski <lcamtuf@xxxxxxxxxxx> wrote:****

Without meaning to advertise, that is one of the reasons upSploit was
created - so that you could submit a vulnerability and then upSploit
automatically sends to the vendor. This way you and your friend don't
have
to do any of the work on the disclosure.****

I clicked around and don't see any obvious explanation; other than the
reporter and the vendor, who else gets to see the submissions and
under what circumstances?

/mz****

** **

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/