Bugtraq mailing list archives
Administrivia
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Mon, 22 Feb 1999 10:10:30 -0800
Full Disclosure Debate I did say I would kill this thread come Monday. So thats what I doing. I'll leave you with a little something from the (unreleased) BugTraq FAQ: 1.9 What is the proper protocol when report a security vulnerability? Everyone has a different opinion on what is the proper protocol. A sensible protocol to follow when reporting a security vulnerability is as follows: a) Contact the product's vendor or maintainer and give them a one or two week period to respond. Make sure you ask for a reply. You may also want to contact CERT, if for no other reason than to have them keep statistics. If they don't respond post to the list. b) If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. This will depend on the vulnerability and the product. It's up to you to make and estimate. If they don't respond in time post to the list. c) If they contact you asking for more time consider extending the deadline in good faith. If they continually fail to meet the deadline post to the list. When is it advisable to post to the list without contacting the vendor? a) When you cannot find a contact within the vendor to make a report. b) When the product is no longer actively supported. c) When you believe the vulnerability to be actively exploited and not informing the community as soon as possible would cause more harm then good. All this being said, we rather have people report vulnerabilities to the list and not inform the vendors, whatever their reasons may be, than to have them keep the information to themselves. -- Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: [HERT] Advisory #002 Buffer overflow in lsof, (continued)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Vic Abell (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Mariusz Marcinkiewicz (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Robert Watson (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Lee Brotzman (Feb 22)
- NcFTPd remote buffer overflow Julien Nadeau (Feb 23)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Alan Cox (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Alex Shnitman (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Wichert Akkerman (Feb 21)
- Possible DOS attack in the .nu domain service Shane Wegner (Feb 20)
- Severe Security Hole in ARCserve NT agents (fwd) Weld Pond (Feb 21)
- Administrivia Aleph One (Feb 22)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Robert Watson (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Friedrichs, Oliver (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Eric Stevens (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof johann sebastian bach (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof der Mouse (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Zhodiac (Feb 21)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Ronny Cook (Feb 21)