Re: Oracle Security Contact

["Steven M. Christey" <coley () linus mitre org>]

On the full-disclosure list, low halo asked:

> Could someone please give me the security contact address for Oracle
> Corporation?  It seems as though their marketing department's
> "Unbreakable" slogan makes them think that its OK to bury their
> security advisories & contact info deep within their site somewhere.

It's not immediately obvious when navigating from the www.oracle.com
home page, but it's listed at:
http://otn.oracle.com/deploy/security/alerts.htm

  secalert_us () oracle com

I found this by doing a site search on "vulnerability," which led me
to the advisory page.

Very few vendor home pages (open/closed source, freeware or not) seem
to make it easy to find a security contact, or advisory page, from the
home page.

Here's a quick look I just did from the home pages of various software
providers.  Your Mileage May Vary.


from www.microsoft.com: click on "Security" in the resources menu,
click on "more bulletins and patches," go to "contact Microsoft
security"

from www.redhat.com: there's no "security" link on the front page.
The "community resources" menu does not mention a security link.  The
"support & docs" link asks for user registration, but there's an
"errata" menu on the left hand side.  This gets us to a "security
alerts" page but I don't see any security POC's there.  There's a
"Bugzilla" link on the left hand menu, but this leads to the
bugzilla.redhat.com web site, which requires registration.  The online
security advisories don't seem to list a security contact.  The
advisories, when posted to Bugtraq, come from bugzilla () redhat com and
not some security-specific email address.  But the advisory does list
a PGP key at http://www.redhat.com/about/contact/pgpkey.html, which
suggests that a security () redhat com address is available.  On this PGP
key page, there's a "Red Hat Security Resource Center" menu along with
a "Security Contacts and Procedures" option.  Then I see that this was
under the "Enterprise Solutions" web page, which could have been found
from the www.redhat.com home page had I clicked on the "Enterprise
Solutions" link instead of the "Support & Docs" link.

from www.suse.de: click "security announcements" and the security
contact is near the top of the page

from www.debian.com: click "security information" which links to the
"Debian security FAQ" which has a "How can I reach the security team?"
question which points to security () debian org

from www.sun.com: I have two main nagivation options, "solutions" or
"support & training."  I'll try "solutions" since that would have
worked for Red Hat.  There's a "security" option under "Consulting
Services" but that's for, well, their consulting services.  But
there's a "Related Links" whose first item is "Security" which gets us
to the main security page, and its first link is for the security
bulletins, which lists security-alert () sun com.

from www.novell.com: I gasp and reluctantly allow the ActiveX control
to run, although IE isn't telling me which control I'm allowing.  I
try a text search for "secur" [security, secure] which seems to find
something, but it's not highlighted in my browser so I can't tell.
Emboldened by previous "Solutions" successes, I go there first, but
this time no luck.  The "support" menu doesn't include a security
sub-item but I click it anyway and find the Novell security alerts
page, which includes a form I can use to submit bugs.

from www.mandrake.com: I get redirected to www.linux-mandrake.com and
go to the Security Updates link, which has the
security () linux-mandrake com address.

from www.openbsd.org: I click on the "Security" link and the
"Reporting problems" section points to deraadt () openbsd org

from www.cisco.com: a "secur" search has similar issues that I had
with www.novell.com (i.e. it's somewhere in the page but I can't find
it), though it does show up in a "Networking Solutions & Provisioned
Services" item.  I click on that and get a big Javascript menu with a
security option (maybe that was one of the search matches?), so I go
there, but the page is for various security solutions and not a
security contact.  I use a drop-down menu to go to tech support,
search for "secur" and get the SNMP advisory.  I notice a "Contact
PSIRT" reference but for the sake of experimentation I'll pretend I
don't know what PSIRT means, I'm looking for "security" people.  So I
go to the SNMP security advisory, which has a "Cisco Security
Procedures" section, which then gets me to the PSIRT page and the
security-alert () cisco com / psirt () cisco com addresses.

from www.freebsd.org: click on "Security" and the first section brings
us to security-officer () FreeBSD org.

from www.hp.com: no matches on "secur".  I try "support and drivers"
and then "HP technical support."  There's a "security" option under
software, which brings me to a page that tells me how I can "receive
security bulletins by email," which isn't quite what I'm looking for
but close enough.  This tells me I have to go to the "HP IT Resource
Center" web site, register, then log in... but I'm not really in the
mood to register right now, I've already got enough web accounts to
manage.  I just happen to notice a small "security" link on the top of
the page that hasn't been visited before, so I go there
(http://www.hp.com/security/index.html).  There are some drop-down
menus including particular product categories, so I'll just pick
"hp-ux" software.  This lists various security products but no
security contacts or promising links.  I try "all hp internet security
products and technologies" but that gets me back to a page I've
already seen.  I try the "contact hp" link, which gets me to
http://thenew.hp.com/country/us/eng/contact_us.html.  The main page
doesn't immediately grab me, but the left hand menu says "report a
software security issue" and I click on it.  This points me to
security-alert () hp com.

from www.mozilla.org: see
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0095.html

In short, the ease with which security contacts can be found varies
from site to site, and individual to individual.  There are many
different "reasonable" paths that somebody might take in finding a
security contact.

Software providers who wish to simplify vulnerability notification can
address some of this with prominent links from all of these pages:

 - security pages (both the "solutions" and advisory pages)

 - the advisories themselves

 - tech support

 - the "contact us" page.


- Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html