Re: Reading local files in Netscape 6 and Mozilla (GM#001-NS)

From: GreyMagic Software (security@GREYMAGIC.COM)
Date: 05/01/02


Date:         Wed, 1 May 2002 15:42:26 +0200
From: GreyMagic Software <security@GREYMAGIC.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

The bug was not reported sooner because we had to test it properly, on as
many configurations as possible, this takes time since this vulnerability is
not the only issue we're dealing with.

When this was entered to Bugzilla we were well into the 30th in Israel.

In our submission to Netscape we specifically said that we plan to wait 5
days, not 5 business days, for a reply from Netscape. Is a simple reply too
much?

We ended up waiting 6 days, which were 5 business days. Why 5?

According to RFP's disclosure policy:

"The ORIGINATOR is the individual or group submitting the ISSUE."
"All dates, times, and time zones are relative to the ORIGINATOR."
"A work day is generally defined in respect to the ORIGINATOR."

Since the ORIGINATOR is in Israel, Sunday is a business day like any other.

We never expected an immediate "payoff", all we asked for was a little
acknowledgement that Netscape received our post and that it is being
handled. After 6 days, longer than the time we gave them to respond, we went
public.

        - GMS

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Sam Greenfield
Sent: Wednesday, May 01, 2002 02:14
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Reading local files in Netscape 6 and Mozilla (GM#001-NS)

GreyMagic Software writes:
> Discovery date: 30 Mar 2002.
[...]
> Netscape was contacted on 24 Apr 2002 through a form on their web
> site and through email to security@netscape.com and
> secure@netscape.com. They did not bother to respond AT ALL, and we
> think we know why.

It seems a bit irresponsible to report a bug in a product to the
vendor almost one calendar month after discovering a security
hole. Is there any reason why GreyMagic decided not to report this
bug sooner?

For what it's worth, according to the Bugzilla database, this was
entered as a bug in the underlying Mozilla code on April 29, the third
business day after GreyMagic reported the bug.

For full details, see
http://bugzilla.mozilla.org/show_bug.cgi?id=141061 (When it was
created, the bug report was marked "Security-Sensitive" due to the
fact that this was a security issue.) The bug is marked as a
critical, high severity bug, and a fix is desired for the first full release
of Mozilla.

> Users of Netscape Navigator should move to a better performing, less
> buggy browser.

What browser GreyMagic does recommend?

> By completely disregarding our post Netscape has earned themselves a
$1000
> and lost any credibility they might have had. The money is
irrelevant, but
> using such a con to attract researchers into disclosing bugs to
Netscape is
> extremely unprofessional.

I'm also a little surprised that GreyMagic expected an immediate
response and an immediate payoff. It has only been four business days
since they reported this bug to Netscape.

                                                                Sam
Greenfield

n.b. I have no affiliation with the Mozilla projects--all of my
information is gleaned from the public Bugzilla website.



Relevant Pages

  • Re: [patch] scsi: revert "[SCSI] Get rid of scsi_cmnd->done"
    ... Noone knows how many thousand bug reports have never reached lkml ... filing or get back to terminate the report. ... But I would like kernel people to become less egocentric ... Send _one_ email to lkml and you'll get forever spam to this address. ...
    (Linux-Kernel)
  • Re: 2.6.25-rc8: FTP transfer errors
    ... Yes, Mark, we used to do things that way for every bug in the kernel. ... We should be very careful about git-bisect. ... the developers, because when they think they might have fixed it, ... But I know that a report is a report, and even if I have a ...
    (Linux-Kernel)
  • Re: [patch] scsi: revert "[SCSI] Get rid of scsi_cmnd->done"
    ... Noone knows how many thousand bug reports have never reached lkml ... filing or get back to terminate the report. ... But I would like kernel people to become less egocentric ... Send _one_ email to lkml and you'll get forever spam to this address. ...
    (Linux-Kernel)
  • Bugfix(59/8=APNIC), math jobs (was: JDEE/CGI/flashcards ...)
    ... bug report so I could fix the problem quickly. ... > Note that I said it "looks" incomplete and buggy, ... > high math skills. ...
    (comp.lang.lisp)
  • Re: Linux 2.6.21
    ... The kernel Bugzilla currently contains 1600 open bugs. ... Adrian, why do you keep harping on this, and ignoring reality? ... I suspect some bug reports get ignored deliberately. ... engage some developers on a bug report. ...
    (Linux-Kernel)