Re: [ISN] Security UPDATE -- So You Found a Security Problem, Now What? -- June 29, 2005

From: InfoSec News (isn@private)
Date: Tue Jul 05 2005 - 00:27:04 PDT


Forwarded from: security curmudgeon <jericho@private>
Cc: mark@private


: 1. In Focus: So You Found a Security Problem, Now What?
: 
: ==== 1. In Focus: So You Found a Security Problem, Now What? ====
:    by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

: When you find a security problem, what do you do? The obvious answer is 
: to contact the company that produced the product. However, alerting a 
: company to your discovery of a problem in one of its products can be a 
: challenge. Lots of companies simply don't prepare for reports of 
: problems in their products and services. Their employees don't know what 
: to do when people try to report problems. Nor do their Web sites or 
: product documentation provide any information about who to contact for 
: security matters.

Worse, several companies go so far as to tell you that unless you have a 
customer support contract ($$), then you can not open a ticket with them. 

: Like many of you, I subscribe to a lot of security mailing lists. I 
: can't even begin to remember the number of times I've read a message to 
: one of those lists from someone asking how to contact a given company. 
: The messages typically say something like, "I found a security problem 
: in Product XYZ. I tried to contact the company via email and received no 
: response. Does anybody have security contact info for the company?"

: The trend seems to be to establish a "security@" or possibly a "secure@" 
: email address that people can use to report potential security problems. 
: Vendors should consider establishing such an address, if they haven't 
: already.

Tens of thousansd of sites do not maintain RFC addresses such as 
postmaster@, hoping that all of these companies will use security@ may be 
asking a lot. In fact, at least one large company seems to be retiring 
this type of address. 

   Microsoft retiring abuse@private
   http://spamkings.oreilly.com/archives/2005/06/microsoft_retir.html

Until companies standardize and use these addresses, security researchers 
can also use the Open Source Vulnerability Database vendor dictionary. 
This was created to help alleviate this problem and provide a single 
database with security contact information, knowledge base URLs and more. 
Anyone is welcome to contribute information to the database, and we 
especially hope vendors will do so.

   http://osvdb.org/vendor_dict.php



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Tue Jul 05 2005 - 00:53:42 PDT