Re: NSP-SEC

[Sean Donelan <sean () donelan com>]

On Sat, 20 Mar 2010, William Pitcock wrote:
> If you're a 15 year old kid and you just discovered a way to own the
> latest IOS, for example, how do you know who to tell about it?

Read the manual?  Most products and open source projects have a manual 
which includes information about contacting the vendor or project.

If you don't have the manual, but know how to use a search engine, try a 
search for "reporting security vulnerabilities".  Most major IT vendors 
and open source projects have a security reporting page.  Some people have 
suggested vendors and projects have a common URL such as ".../security" 
with security information.

For example if you found a vulnerability in IOS, look up the following URL
to find out Cisco's reporting contacts:

http://www.cisco.com/security

Report a potential vulnerability in Cisco products:
psirt () cisco com

Urgent technical assistance for non-security issues that involve Cisco 
products:
Cisco Technical Support
800 553 2447 (U.S.)
Worldwide Contacts

Emergency response to active security incidents that involve Cisco 
products:
PSIRT
877 228 7302 (U.S.)
+1 408 525 6532 (outside U.S.)

Report an incident involving the Cisco corporate network:
infosec () cisco com


If you still don't know who to contact, CERT/CC maintains a world-wide map 
of national computer security incident response teams.

http://www.cert.org/cert/map_open.html

Although some of the "intra" forums between CSIRT, vendor, project, 
provider, researcher communities aren't open to everyone, e.g. a CSIRT 
forum may only have CSIRTs, an academic forum may only have academics; 
each of the CSIRTs, vendors, projects, providers have contacts for 
reporting vulnerabilities that may affect their constituencies.