Re: [PEN-TEST] disclosure and contact information

[Elias Levy <aleph1 () SECURITYFOCUS COM>]

* Ben Ford (bford () ERISKSECURITY COM) [010307 21:54]:
> I just had a discussion with the higher-ups at the company I work for
> regarding vulnerability disclosure.  It is SOP (and common curtesy) for
> most companies to give software companies a week or so advance
> notification when a vulnerability is found.  We are in the process of
> developing our policies and came to a point of contention here.  We both
> agree that the vulnerabilities should be made public on our website, but
> he does not want to give advance notification to companies.  His
> reasoning for this is simple.  He doesn't want to invest the time to
> track down contact information for each and every company and/or product
> we end up dealing with.
>
> To counter this point, is there a database somewhere with such contact
> information?  It would have to be searchable by company and by product.
> It would only return contact information.  A phone number, email etc.
> If there is not, is anybody interested in joining forces to create one?

We have such a list of contacts here at SecurityFocus.com. You can ask
for vendor contact information by emailing vulnhelp () securityfocus com.
Please note that the list is limited. Not many vendors have contact
information specifically for security problems. Most of them handle
such cases via their regular support channel which can be quite frustrating
to deal with. Most of the companies in the list are ones for which
vulnerabilities have been found in their products in the past.

If the are any vendors of products reading this that wish their
security contact information be added to the list please email
the information to vulnhelp () securityfocus com.

> -b

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum