Penetration Testing mailing list archives
Re: [PEN-TEST] disclosure and contact information
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Wed, 7 Mar 2001 14:58:40 -0700
* Ben Ford (bford () ERISKSECURITY COM) [010307 21:54]:
I just had a discussion with the higher-ups at the company I work for regarding vulnerability disclosure. It is SOP (and common curtesy) for most companies to give software companies a week or so advance notification when a vulnerability is found. We are in the process of developing our policies and came to a point of contention here. We both agree that the vulnerabilities should be made public on our website, but he does not want to give advance notification to companies. His reasoning for this is simple. He doesn't want to invest the time to track down contact information for each and every company and/or product we end up dealing with. To counter this point, is there a database somewhere with such contact information? It would have to be searchable by company and by product. It would only return contact information. A phone number, email etc. If there is not, is anybody interested in joining forces to create one?
We have such a list of contacts here at SecurityFocus.com. You can ask for vendor contact information by emailing vulnhelp () securityfocus com. Please note that the list is limited. Not many vendors have contact information specifically for security problems. Most of them handle such cases via their regular support channel which can be quite frustrating to deal with. Most of the companies in the list are ones for which vulnerabilities have been found in their products in the past. If the are any vendors of products reading this that wish their security contact information be added to the list please email the information to vulnhelp () securityfocus com.
-b
-- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- [PEN-TEST] disclosure and contact information Ben Ford (Mar 07)
- Re: [PEN-TEST] disclosure and contact information Elias Levy (Mar 07)
- Re: [PEN-TEST] disclosure and contact information shawn . moyer (Mar 08)
- <Possible follow-ups>
- Re: [PEN-TEST] disclosure and contact information Cleary, Tom (Mar 07)