Full Disclosure mailing list archives
Re: [VulnDiscuss] HP Full Disclosure Story
From: full-disclosure () lists netsys com (Jonathan Rickman)
Date: Sun, 25 Aug 2002 20:52:40 -0400 (EDT)
On Fri, 23 Aug 2002, Kevin Spett wrote:
I think it'd be great if people made a habit of posting researcher-vendor communications like this. They say a lot about a company's attitude and policy regarding security and can help sysadmins, developers, security professionals, etc. decide whether they would want to buy from them. This would be a good way for vendors to show the community that they react to reports of vulnerabilities in a responsible, communicative and friendly manner. It would also be a good way to expose vendors such as HP who fail miserably to do so.
I think it is also very important to keep all parts of the conversation intact. There is a significant portion of this particular conversation that was not included, which I suspect, sent the conversation on the downward spiral. No offense to Tamer, but this strikes me as a case of a researcher who insisted on setting HP's rules for them "on the fly" as it were. HP has a policy in place. Flawed or not, they have to work within the confines of that policy. They were fairly candid with you...and I quote: "Let me be very candid here, you are not the first to assume that a $50 billion corporation will drop all the other security issues we are working on in order to work on yours because you threaten to publish. It has never changed the course of our work internally; we will continue to work on the issue until it is tested and finished." Honestly, that sounds pretty reasonable to me, considering that we do not have the privilege of reading the communication from you. For all we know, your email to them, consisted of "ph33r m3 HP, eye will dr0p dis 0day b0mb on yo @z in 10 minutes if joo do not r3zpect my skillz!!!" Once again, Tamer, no offense intended, but that part of the conversation does seem to be critical, since that's where things turned south. As for their September 11th remarks, I consider that pretty tasteless and cliche, and I seriously doubt that that is the "Company Line", but rather the work of one individual who has not learned to toe that "Company Line" quite right. Another possibility is that the folks at HP were slow to pick up on the fact that English is obviously not your first language, and ask for further clarification. Sometimes that is a source of confusion, even when dealing with someone who writes fairly well, such as yourself. I think Dan at HP summed the whole thing up best when he said, "We did reply, and you are making the assumption that your issue is the only one we have to work on, and that it is the most important." I suspect that he hit the proverbial nail right on the head with that one. -- Jonathan Rickman X Corps Security http://www.xcorps.net
Current thread:
- Re: [VulnDiscuss] HP Full Disclosure Story Jonathan Rickman (Aug 25)
- Re: [VulnDiscuss] HP Full Disclosure Story Ron DuFresne (Aug 25)
- Re: HP Full Disclosure Story full-disclosure () lists netsys com (Aug 25)
- Re: [VulnDiscuss] HP Full Disclosure Story Kevin Spett (Aug 26)