Re: Vendor notification

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 03/30/05

  • Next message: Fergie (Paul Ferguson): "Re: Vendor notification" 
    Date: Wed, 30 Mar 2005 12:43:17 -0800
To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>

    And keep in mind I'm also talking from the standpoint of "I see a new
    exploit for 05-002, do you guys?"

    I'm not talking about security vulnerability, per se, I'm talking about
    'here's the bad packets I'm seeing hitting my ports and maybe someone
    needs to know about this".

    I'm talking about informing about 'bad stuff in the wild' to help the
    vendor know that we are all protected for this stuff.

    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

    > Just a question...on your security incident checklist is there a step
    > for vendor notification? Example secure@microsoft.com for Microsoft
    > products.
    >
    > Like for example on this list... when you report something unusual
    > here ...is there a point in time that reporting it to the security
    > department of Redhat, SuSe, Microsoft, etc. would be a valid exercise?
    >
    > I find sometimes that it's on these listserves that are the first
    > 'indicators' of issues and that vendors will grab these threads and
    > emails and pull in a case that should have had vendor notification
    > much earlier.
    >
    > I've seen this happen twice personally to me where a email thread that
    > I spotted got the attention of a vendor and when the poster was
    > contacted they hadn't even thought it was worthy enough to report it
    > to the vendor, yet in reality it was.
    >
    > At what point do you notifiy? Do you have criteria for notification?
    > [heck do you have the vendor email contacts listed on your incident
    > checklist?]
    >
    > Susan
    >
    > http://www.redhat.com/security/team/contact/
    >
    > Microsoft TechNet Security - Microsoft Security Response Center PGP Key:
    > https://www.microsoft.com/technet/security/bulletin/pgp.mspx
    > 

    -- 
Chapter 4 of The Complete Patch Management Book: 
https://www.ecora.com/ecora/jump/pm149.asp
So why is it the only book on NT Event Logging is out of print?
http://tinyurl.com/3kwc2
And if you don't know about www.eventid.net You should!
  • Next message: Fergie (Paul Ferguson): "Re: Vendor notification"

    Relevant Pages

    • Re: Case studies on full disclosure vs. "security through obscurity"
      ... many arguments about full disclosure being better are pretty ... > attempt at contacting the vendor. ... > With vendor notification, on closed-source products, you can check whether the ... > people making reports on bugs that were fixed three years ago (and no, ...
      (comp.security.misc)
    • Re: Case studies on full disclosure vs. "security through obscurity"
      ... attempt at contacting the vendor. ... With vendor notification, on closed-source products, you can check whether the ... people making reports on bugs that were fixed three years ago (and no, ... care about their customers. ...
      (comp.security.misc)
    • RE: [Full-Disclosure] iDEFENSE Security Advisory 07.12.04: Adobe Reader 6.0 Filename Handler Buffer
      ... 02/02/2004 Exploit discovered by iDEFENSE ... 03/11/2004 Initial vendor notification ... Subject: iDEFENSE Security Advisory 07.12.04: Adobe ...
      (Full-Disclosure)
    • Vendor notification
      ... Just a question...on your security incident checklist is there a step ... Example secure@microsoft.com for Microsoft ... emails and pull in a case that should have had vendor notification much ...
      (Incidents)
    • Re: Value from unbound form control
      ... I understand what you're saying about the extra field for a preferred phone ... since each vendor may have several. ... the person generating the report. ... button's Click event that opens the report). ...
      (microsoft.public.access.reports)