Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerabilities Hashes DB needed

From: Alexander Klink <a.klink () cynops de>
Date: Sun, 6 May 2007 22:18:08 +0200
Hi,

On Sun, May 06, 2007 at 05:45:45PM +0200, shadown wrote:

2- There are some vendors that are really dificult to deal with. It took me
about 4 months to get the right contact to report the bugs, and this would
be another think to think about, A public 'Vendor's Vulnerability Reporting
Contact DB/List'.

That would definitely be helpful, the situation sounds familiar ...


The main mailling list should create a 'Vulnerabilities Hashes mailing list'
where the researches comunity can send the hashes of the PoC files just
before they conctact the vendors. That way if the vendors do not give the
proper credits to the researchers, at least the researches will have another
proof to show that they were the ones that reported the vulnerabilities, and
not just the mails they've crossed with the vendors.

You should have a look at the (free) PGP Digital Timestamping Service
at http://www.itconsult.co.uk/stamper/stampinf.htm. No need to reinvent
the wheel there, it's been alive for about 12 years now and will
timestamp and PGP sign anything you send it, including hashes.

HTH,
    Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: