RE: Whose X do I need to X to get on CERT?

From: Matt Groves (mgrat_private)
Date: Wed Feb 20 2002 - 09:15:16 PST

Next message: Martin O'Neal: "Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SN MP"

Previous message: c c: "*****SPAM***** MSDE, Sql Server 7 & 2000 Adhoc Heterogenous Queries Buffer Overflow and DOS"
In reply to: Jonathan G. Lampe: "Whose X do I need to X to get on CERT?"
Next in thread: Jonathan G. Lampe: "RE: Whose X do I need to X to get on CERT?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

[Disclaimer, legal stuff, strictly my own personal opinions enclosed,
etc.]

I can vouch for the method that I took - Call them and ask them to
open a ticket for you for tracking purposes, establish a secure
communication method with them with PGP, call them and get their Hex
PGP Fingerprint, and vice-versa, then send them a signed and
encrypted mail with the statement you want on behalf of your company.
 I was extremely impressed with their responsiveness and we had our
little snippet on their web pages within 36 hours.

HTH,

Matt.

- -----Original Message-----
From: Jonathan G. Lampe [mailto:jonathanat_private] 
Sent: 19 February 2002 22:46
To: bugtraqat_private
Subject: Whose X do I need to X to get on CERT?


My company makes a product ("UniGate") which among other things is an
SNMP 
agent.  When CERT's recent SNMP advisory came out 
(http://www.cert.org/advisories/CA-2002-03.html), we reacted I  think
like 
any other responsible vendor should.  I grabbed the various test
suites 
available and threw them against undefended internal test boxes while
the 
engineering staff consulted the source code.  It  took us two full
days to 
get a handle on things, but by February 14th we had an advisory
statement 
for  our customers.  I mailed CERT a copy (you can see the text of
the 
message 
here: 
http://www.stdnet.com/support/?category_number=3&subcategory_number=1
)

On its major advisories CERT advertises a "Vendor Information"
section with 
"details from vendors who  have provided feedback for this advisory."
 I 
see the online doc has been updated several times a day  since the
advisory 
came out (18 times since I sent my first email), but after 4 emails
and 2 
phone calls I'm still waiting for anything other than  an automated
response.

Has anyone else (particularly vendors) ever had problems getting CERT
to 
post stuff, or even  acknowledge your presence?  Is there an
invisible 
"pay-to-play" thing going on here which has escaped  my notice?  Am I
talking to the wrong people?  Anyone?  Buehler?

TIA, Jonathan Lampe, GCIA, GSNA, etc.

P.S.  Here's where I sent copies of the letter (give it another shot
every 
2 days or so...):
certat_private  SUBJ: VU#617947
certat_private  SUBJ: CA-2002-03 Feedback VU#617947 certat_private 
SUBJ: Yet Another Vendor entry for CA-2002-03

Number Called:
412-268-7090  (Feb 15 and Feb 18)

(On a Friday phone calls, the guy ack'ed receipt of at least one of
the 
email messages - said "call back on Monday".)


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPHPZpDug2gJYiF5gEQKbmQCg8cmIHwkSMvPNv9xyMOGfwzX4x78Amwel
criB0FniN9RUlT9Kex07u4ec
=gl1M
-----END PGP SIGNATURE-----

Next message: Martin O'Neal: "Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SN MP"
Previous message: c c: "*****SPAM***** MSDE, Sql Server 7 & 2000 Adhoc Heterogenous Queries Buffer Overflow and DOS"
In reply to: Jonathan G. Lampe: "Whose X do I need to X to get on CERT?"
Next in thread: Jonathan G. Lampe: "RE: Whose X do I need to X to get on CERT?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 13:15:07 PST