RE: Re: Oracle Security Contact

["Schmehl, Paul L" <pauls () utdallas edu>]

Especially since they're required by RFC.

Paul Schmehl (pauls () utdallas edu)
TCS Department Coordinator
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/


> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne () winternet com] 
> Sent: Wednesday, November 06, 2002 3:39 PM
> To: Steven M. Christey
> Cc: full-disclosure () lists netsys com
> Subject: [Full-disclosure] Re: Oracle Security Contact
>
>
>
> Many ISP's and some corps now list an abuse@ address in their 
> domain info. sure would be nice to see vendors also include 
> such security@ contact addresses in their domain info, rather 
> then make folks hunt and seek such critical information all 
> over the web.
>
>
> Thanks,
>
> Ron DuFresne
>
>
> On Tue, 5 Nov 2002, Steven M. Christey wrote:
>
> > On the full-disclosure list, low halo asked:
> >
> > > Could someone please give me the security contact address 
> for Oracle 
> > > Corporation?  It seems as though their marketing department's 
> > > "Unbreakable" slogan makes them think that its OK to bury their 
> > > security advisories & contact info deep within their site 
> somewhere.
> > It's not immediately obvious when navigating from the 
> www.oracle.com 
> > home page, but it's listed at: 
> > http://otn.oracle.com/deploy/security/alerts.htm
> >
> >   secalert_us () oracle com
> >
> > I found this by doing a site search on "vulnerability," 
> which led me 
> > to the advisory page.
> >
> > Very few vendor home pages (open/closed source, freeware or 
> not) seem 
> > to make it easy to find a security contact, or advisory 
> page, from the 
> > home page.
> >
> > Here's a quick look I just did from the home pages of 
> various software 
> > providers.  Your Mileage May Vary.
> >
> >
> > from www.microsoft.com: click on "Security" in the resources menu, 
> > click on "more bulletins and patches," go to "contact Microsoft 
> > security"
> >
> > from www.redhat.com: there's no "security" link on the 
> front page. The 
> > "community resources" menu does not mention a security link.  The 
> > "support & docs" link asks for user registration, but there's an 
> > "errata" menu on the left hand side.  This gets us to a "security 
> > alerts" page but I don't see any security POC's there.  There's a 
> > "Bugzilla" link on the left hand menu, but this leads to the 
> > bugzilla.redhat.com web site, which requires registration.  
> The online 
> > security advisories don't seem to list a security contact.  The 
> > advisories, when posted to Bugtraq, come from 
> bugzilla () redhat com and 
> > not some security-specific email address.  But the advisory 
> does list 
> > a PGP key at http://www.redhat.com/about/contact/pgpkey.html, which 
> > suggests that a security () redhat com address is available.  
> On this PGP 
> > key page, there's a "Red Hat Security Resource Center" menu 
> along with 
> > a "Security Contacts and Procedures" option.  Then I see 
> that this was 
> > under the "Enterprise Solutions" web page, which could have 
> been found 
> > from the www.redhat.com home page had I clicked on the "Enterprise 
> > Solutions" link instead of the "Support & Docs" link.
> >
> > from www.suse.de: click "security announcements" and the security 
> > contact is near the top of the page
> >
> > from www.debian.com: click "security information" which 
> links to the 
> > "Debian security FAQ" which has a "How can I reach the 
> security team?" 
> > question which points to security () debian org
> >
> > from www.sun.com: I have two main nagivation options, 
> "solutions" or 
> > "support & training."  I'll try "solutions" since that would have 
> > worked for Red Hat.  There's a "security" option under "Consulting 
> > Services" but that's for, well, their consulting services.  But 
> > there's a "Related Links" whose first item is "Security" 
> which gets us 
> > to the main security page, and its first link is for the security 
> > bulletins, which lists security-alert () sun com.
> >
> > from www.novell.com: I gasp and reluctantly allow the 
> ActiveX control 
> > to run, although IE isn't telling me which control I'm allowing.  I 
> > try a text search for "secur" [security, secure] which 
> seems to find 
> > something, but it's not highlighted in my browser so I can't tell. 
> > Emboldened by previous "Solutions" successes, I go there first, but 
> > this time no luck.  The "support" menu doesn't include a security 
> > sub-item but I click it anyway and find the Novell security alerts 
> > page, which includes a form I can use to submit bugs.
> >
> > from www.mandrake.com: I get redirected to 
> www.linux-mandrake.com and 
> > go to the Security Updates link, which has the 
> > security () linux-mandrake com address.
> >
> > from www.openbsd.org: I click on the "Security" link and the 
> > "Reporting problems" section points to deraadt () openbsd org
> >
> > from www.cisco.com: a "secur" search has similar issues that I had 
> > with www.novell.com (i.e. it's somewhere in the page but I 
> can't find 
> > it), though it does show up in a "Networking Solutions & 
> Provisioned 
> > Services" item.  I click on that and get a big Javascript 
> menu with a 
> > security option (maybe that was one of the search 
> matches?), so I go 
> > there, but the page is for various security solutions and not a 
> > security contact.  I use a drop-down menu to go to tech support, 
> > search for "secur" and get the SNMP advisory.  I notice a "Contact 
> > PSIRT" reference but for the sake of experimentation I'll pretend I 
> > don't know what PSIRT means, I'm looking for "security" 
> people.  So I 
> > go to the SNMP security advisory, which has a "Cisco Security 
> > Procedures" section, which then gets me to the PSIRT page and the 
> > security-alert () cisco com / psirt () cisco com addresses.
> >
> > from www.freebsd.org: click on "Security" and the first 
> section brings 
> > us to security-officer () FreeBSD org.
> >
> > from www.hp.com: no matches on "secur".  I try "support and 
> drivers" 
> > and then "HP technical support."  There's a "security" option under 
> > software, which brings me to a page that tells me how I can 
> "receive 
> > security bulletins by email," which isn't quite what I'm 
> looking for 
> > but close enough.  This tells me I have to go to the "HP IT 
> Resource 
> > Center" web site, register, then log in... but I'm not 
> really in the 
> > mood to register right now, I've already got enough web accounts to 
> > manage.  I just happen to notice a small "security" link on 
> the top of 
> > the page that hasn't been visited before, so I go there 
> > (http://www.hp.com/security/index.html).  There are some drop-down 
> > menus including particular product categories, so I'll just pick 
> > "hp-ux" software.  This lists various security products but no 
> > security contacts or promising links.  I try "all hp 
> internet security 
> > products and technologies" but that gets me back to a page I've 
> > already seen.  I try the "contact hp" link, which gets me to 
> > http://thenew.hp.com/country/us/eng/contact_us.html.  The main page 
> > doesn't immediately grab me, but the left hand menu says "report a 
> > software security issue" and I click on it.  This points me to 
> > security-alert () hp com.
> >
> > from www.mozilla.org: see 
> > http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0095.html
> >
> > In short, the ease with which security contacts can be found varies 
> > from site to site, and individual to individual.  There are many 
> > different "reasonable" paths that somebody might take in finding a 
> > security contact.
> >
> > Software providers who wish to simplify vulnerability 
> notification can 
> > address some of this with prominent links from all of these pages:
> >
> >  - security pages (both the "solutions" and advisory pages)
> >
> >  - the advisories themselves
> >
> >  - tech support
> >
> >  - the "contact us" page.
> >
> >
> > - Steve
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in 
> humanity.  It eliminates dreams, goals, and ideals and lets 
> us get straight to the business of hate, debauchery, and 
> self-annihilation." -- Johnny Hart
>       ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D.  Just don't touch anything.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html