Full Disclosure mailing list archives
Re: HP Full Disclosure Story
From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Wed, 28 Aug 2002 08:56:57 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven, I would like to know how you determined this: "with an implied Grace Period of 0 days" Since the vendor did not say to publish the results of the challenge publicly on this list, would your policy have not required you to contact him first - in private - before making it public. In other words, is the default of your policy to make whatever one finds public in the event that "vendors [do not]publish information including what Grace Period" or do not state to not make it public. Sounds good to me. Seems like that is precisely what everyone is doing and has been doing all this time. And now including you. Vulnerability Disclosure Policy - ------------------------------- No compensation or credit is expected for discovery of this vulnerability. This vulnerability was released in accordance with the Responsible Disclosure Process draft. Section 4.1, vendor policy, suggests that vendors publish information including what Grace Period the vendor wishes to observe, if any, before publishing details. The xxt vendor challenged the public to find a vulnerability that "would render a root shell when xxt is SUID root," with an implied Grace Period of 0 days. Since this vulnerability is less severe than a root shell in general (at best it allows users to decrypt other users' files, which only potentially affects root), it is reasonable to follow the suggested 0 day Grace Period. -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wmcEARECACcFAj1s8YIgHGNob29zZS5hLmx1c2VybmFtZUBodXNobWFpbC5jb20ACgkQ T4xCkuLXILpGnACdFNLmBq2BFaARfC8XrtECvGGd/6EAn01/l5ZMQChM8YcODzYMVTCp d2Rc =B9b0 -----END PGP SIGNATURE----- Get your free encrypted email at https://www.hushmail.com
Current thread:
- Re: HP Full Disclosure Story, (continued)
- Re: HP Full Disclosure Story Charles Stevenson (Aug 26)
- Re: HP Full Disclosure Story KF (Aug 26)
- Re: HP Full Disclosure Story KF (Aug 26)
- Re: HP Full Disclosure Story Anthony DeRobertis (Aug 25)
- Re: HP Full Disclosure Story full-disclosure () lists netsys com (Aug 24)
- Re: HP Full Disclosure Story Defender Defender (Aug 24)
- Re: HP Full Disclosure Story Defender Defender (Aug 24)
- HP Full Disclosure Story Tamer Sahin (Aug 25)
- HP Full Disclosure Story Tamer Sahin (Aug 25)
- Re: HP Full Disclosure Story Steven M. Christey (Aug 27)
- Re: HP Full Disclosure Story full-disclosure () lists netsys com (Aug 28)