Forwarded from: security curmudgeon <jericho@private> Cc: mark@private : 1. In Focus: So You Found a Security Problem, Now What? : : ==== 1. In Focus: So You Found a Security Problem, Now What? ==== : by Mark Joseph Edwards, News Editor, mark at ntsecurity / net : When you find a security problem, what do you do? The obvious answer is : to contact the company that produced the product. However, alerting a : company to your discovery of a problem in one of its products can be a : challenge. Lots of companies simply don't prepare for reports of : problems in their products and services. Their employees don't know what : to do when people try to report problems. Nor do their Web sites or : product documentation provide any information about who to contact for : security matters. Worse, several companies go so far as to tell you that unless you have a customer support contract ($$), then you can not open a ticket with them. : Like many of you, I subscribe to a lot of security mailing lists. I : can't even begin to remember the number of times I've read a message to : one of those lists from someone asking how to contact a given company. : The messages typically say something like, "I found a security problem : in Product XYZ. I tried to contact the company via email and received no : response. Does anybody have security contact info for the company?" : The trend seems to be to establish a "security@" or possibly a "secure@" : email address that people can use to report potential security problems. : Vendors should consider establishing such an address, if they haven't : already. Tens of thousansd of sites do not maintain RFC addresses such as postmaster@, hoping that all of these companies will use security@ may be asking a lot. In fact, at least one large company seems to be retiring this type of address. Microsoft retiring abuse@private http://spamkings.oreilly.com/archives/2005/06/microsoft_retir.html Until companies standardize and use these addresses, security researchers can also use the Open Source Vulnerability Database vendor dictionary. This was created to help alleviate this problem and provide a single database with security contact information, knowledge base URLs and more. Anyone is welcome to contribute information to the database, and we especially hope vendors will do so. http://osvdb.org/vendor_dict.php _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 05 2005 - 00:53:42 PDT