Full Disclosure mailing list archives
RE: Re: Oracle Security Contact
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 6 Nov 2002 17:46:08 -0600
Especially since they're required by RFC. Paul Schmehl (pauls () utdallas edu) TCS Department Coordinator The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
-----Original Message----- From: Ron DuFresne [mailto:dufresne () winternet com] Sent: Wednesday, November 06, 2002 3:39 PM To: Steven M. Christey Cc: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Oracle Security Contact Many ISP's and some corps now list an abuse@ address in their domain info. sure would be nice to see vendors also include such security@ contact addresses in their domain info, rather then make folks hunt and seek such critical information all over the web. Thanks, Ron DuFresne On Tue, 5 Nov 2002, Steven M. Christey wrote:On the full-disclosure list, low halo asked:Could someone please give me the security contact addressfor OracleCorporation? It seems as though their marketing department's "Unbreakable" slogan makes them think that its OK to bury their security advisories & contact info deep within their sitesomewhere.It's not immediately obvious when navigating from thewww.oracle.comhome page, but it's listed at: http://otn.oracle.com/deploy/security/alerts.htm secalert_us () oracle com I found this by doing a site search on "vulnerability,"which led meto the advisory page. Very few vendor home pages (open/closed source, freeware ornot) seemto make it easy to find a security contact, or advisorypage, from thehome page. Here's a quick look I just did from the home pages ofvarious softwareproviders. Your Mileage May Vary. from www.microsoft.com: click on "Security" in the resources menu, click on "more bulletins and patches," go to "contact Microsoft security" from www.redhat.com: there's no "security" link on thefront page. The"community resources" menu does not mention a security link. The "support & docs" link asks for user registration, but there's an "errata" menu on the left hand side. This gets us to a "security alerts" page but I don't see any security POC's there. There's a "Bugzilla" link on the left hand menu, but this leads to the bugzilla.redhat.com web site, which requires registration.The onlinesecurity advisories don't seem to list a security contact. The advisories, when posted to Bugtraq, come frombugzilla () redhat com andnot some security-specific email address. But the advisorydoes lista PGP key at http://www.redhat.com/about/contact/pgpkey.html, which suggests that a security () redhat com address is available.On this PGPkey page, there's a "Red Hat Security Resource Center" menualong witha "Security Contacts and Procedures" option. Then I seethat this wasunder the "Enterprise Solutions" web page, which could havebeen foundfrom the www.redhat.com home page had I clicked on the "Enterprise Solutions" link instead of the "Support & Docs" link. from www.suse.de: click "security announcements" and the security contact is near the top of the page from www.debian.com: click "security information" whichlinks to the"Debian security FAQ" which has a "How can I reach thesecurity team?"question which points to security () debian org from www.sun.com: I have two main nagivation options,"solutions" or"support & training." I'll try "solutions" since that would have worked for Red Hat. There's a "security" option under "Consulting Services" but that's for, well, their consulting services. But there's a "Related Links" whose first item is "Security"which gets usto the main security page, and its first link is for the security bulletins, which lists security-alert () sun com. from www.novell.com: I gasp and reluctantly allow theActiveX controlto run, although IE isn't telling me which control I'm allowing. I try a text search for "secur" [security, secure] whichseems to findsomething, but it's not highlighted in my browser so I can't tell. Emboldened by previous "Solutions" successes, I go there first, but this time no luck. The "support" menu doesn't include a security sub-item but I click it anyway and find the Novell security alerts page, which includes a form I can use to submit bugs. from www.mandrake.com: I get redirected towww.linux-mandrake.com andgo to the Security Updates link, which has the security () linux-mandrake com address. from www.openbsd.org: I click on the "Security" link and the "Reporting problems" section points to deraadt () openbsd org from www.cisco.com: a "secur" search has similar issues that I had with www.novell.com (i.e. it's somewhere in the page but Ican't findit), though it does show up in a "Networking Solutions &ProvisionedServices" item. I click on that and get a big Javascriptmenu with asecurity option (maybe that was one of the searchmatches?), so I gothere, but the page is for various security solutions and not a security contact. I use a drop-down menu to go to tech support, search for "secur" and get the SNMP advisory. I notice a "Contact PSIRT" reference but for the sake of experimentation I'll pretend I don't know what PSIRT means, I'm looking for "security"people. So Igo to the SNMP security advisory, which has a "Cisco Security Procedures" section, which then gets me to the PSIRT page and the security-alert () cisco com / psirt () cisco com addresses. from www.freebsd.org: click on "Security" and the firstsection bringsus to security-officer () FreeBSD org. from www.hp.com: no matches on "secur". I try "support anddrivers"and then "HP technical support." There's a "security" option under software, which brings me to a page that tells me how I can"receivesecurity bulletins by email," which isn't quite what I'mlooking forbut close enough. This tells me I have to go to the "HP ITResourceCenter" web site, register, then log in... but I'm notreally in themood to register right now, I've already got enough web accounts to manage. I just happen to notice a small "security" link onthe top ofthe page that hasn't been visited before, so I go there (http://www.hp.com/security/index.html). There are some drop-down menus including particular product categories, so I'll just pick "hp-ux" software. This lists various security products but no security contacts or promising links. I try "all hpinternet securityproducts and technologies" but that gets me back to a page I've already seen. I try the "contact hp" link, which gets me to http://thenew.hp.com/country/us/eng/contact_us.html. The main page doesn't immediately grab me, but the left hand menu says "report a software security issue" and I click on it. This points me to security-alert () hp com. from www.mozilla.org: see http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0095.html In short, the ease with which security contacts can be found varies from site to site, and individual to individual. There are many different "reasonable" paths that somebody might take in finding a security contact. Software providers who wish to simplify vulnerabilitynotification canaddress some of this with prominent links from all of these pages: - security pages (both the "solutions" and advisory pages) - the advisories themselves - tech support - the "contact us" page. - Steve~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Oracle Security Contact dev-null (Nov 05)
- Re: Oracle Security Contact Kevin Spett (Nov 05)
- <Possible follow-ups>
- Re: Oracle Security Contact Steven M. Christey (Nov 05)
- Re: Re: Oracle Security Contact Chris Wysopal (Nov 06)
- Re: Oracle Security Contact Ron DuFresne (Nov 06)
- Re: Oracle Security Contact Gary Flynn (Nov 07)
- RE: Re: Oracle Security Contact Schmehl, Paul L (Nov 06)