What Discoverers need to know about vulnerability reporting
From: Russ (Russ.Cooper@RC.ON.CA)Date: 01/04/02
- Previous message: Russ: "What Vendors need to know about vulnerability reporting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 4 Jan 2002 16:42:37 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
1. Make a reasonable effort to contact the Vendor of the product for which
you've discovered a vulnerability. That may include calling their head
office, or corporate offices, and asking to speak to someone who has
something to do with security of their products. If that doesn't work, ask
for the Product Manager, and if all else fails, the Marketing Manager. One
of these people should know the right person to speak to.
2. Check my NTBugtraq VAN Members page,
http://ntbugtraq.ntadvice.com/VANMembers.asp If I have the company listed
there, it means I have a direct contact with that Vendor and can get in
touch with them by phone ASAP. I don't want to take over your issue, but I
will freely help in establishing communications between you and them so you
can describe your issues (privately, or with me cc'd). I always ask them
first if they mind, and will usually have them contact you (via email if
that's all you give me, or by phone if you give me a number).
I am always available to anyone who is having trouble with a Vendor, or
having trouble getting in touch with a Vendor. I can make phone calls,
contact others who may know who to call, etc... and won't charge you a dime.
I don't even need to know the full details, although I will always expect to
know enough to ensure it's a reasonable request.
3. Leave the politics out of your message. Declan McCullagh's
http://www.politechbot.com/ list is a far better place for any such
statements. I do appreciate concerns about governments and corporations, but
really, NTBugtraq's not the place for such stuff.
4. Finally, and this is very important, make sure that any code you provide
with your vulnerability reports is substantially incomplete. Anyone who is
desperate to get the full details can contact you directly after your
advisory is sent out, but the vast majority of the 36,000+ subscribers of
NTBugtraq aren't going to do anything with a code sample. I do believe its
very possible to provide sufficient details to prove your point without
providing enough code to turn your sample into a malicious exploit. w00w00's
recent advisory included more code than necessary IMO, and while it wasn't a
"fully functional" code sample, "shellcode starts here" gives a good start
to the technically clue-less.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Voice: 1-705-878-3405
Email: russ.cooper@rc.on.ca
============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
============================================================================
- Previous message: Russ: "What Vendors need to know about vulnerability reporting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
