Penetration Testing mailing list archives
[PEN-TEST] disclosure and contact information
From: Ben Ford <bford () ERISKSECURITY COM>
Date: Tue, 6 Mar 2001 17:02:49 -0800
I just had a discussion with the higher-ups at the company I work for regarding vulnerability disclosure. It is SOP (and common curtesy) for most companies to give software companies a week or so advance notification when a vulnerability is found. We are in the process of developing our policies and came to a point of contention here. We both agree that the vulnerabilities should be made public on our website, but he does not want to give advance notification to companies. His reasoning for this is simple. He doesn't want to invest the time to track down contact information for each and every company and/or product we end up dealing with. To counter this point, is there a database somewhere with such contact information? It would have to be searchable by company and by product. It would only return contact information. A phone number, email etc. If there is not, is anybody interested in joining forces to create one? -b
Current thread:
- [PEN-TEST] disclosure and contact information Ben Ford (Mar 07)
- Re: [PEN-TEST] disclosure and contact information Elias Levy (Mar 07)
- Re: [PEN-TEST] disclosure and contact information shawn . moyer (Mar 08)
- <Possible follow-ups>
- Re: [PEN-TEST] disclosure and contact information Cleary, Tom (Mar 07)