Full Disclosure mailing list archives
Re: Vulnerabilities Hashes DB needed
From: Alexander Klink <a.klink () cynops de>
Date: Sun, 6 May 2007 22:18:08 +0200
Hi, On Sun, May 06, 2007 at 05:45:45PM +0200, shadown wrote:
2- There are some vendors that are really dificult to deal with. It took me about 4 months to get the right contact to report the bugs, and this would be another think to think about, A public 'Vendor's Vulnerability Reporting Contact DB/List'.
That would definitely be helpful, the situation sounds familiar ...
The main mailling list should create a 'Vulnerabilities Hashes mailing list' where the researches comunity can send the hashes of the PoC files just before they conctact the vendors. That way if the vendors do not give the proper credits to the researchers, at least the researches will have another proof to show that they were the ones that reported the vulnerabilities, and not just the mails they've crossed with the vendors.
You should have a look at the (free) PGP Digital Timestamping Service at http://www.itconsult.co.uk/stamper/stampinf.htm. No need to reinvent the wheel there, it's been alive for about 12 years now and will timestamp and PGP sign anything you send it, including hashes. HTH, Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities Hashes DB needed shadown (May 06)
- Re: Vulnerabilities Hashes DB needed Morning Wood (May 06)
- Re: Vulnerabilities Hashes DB needed Alexander Klink (May 06)
- Re: [Dailydave] Vulnerabilities Hashes DB needed Dave Aitel (May 07)
- Re: [Dailydave] Vulnerabilities Hashes DB needed shadown (May 06)