[ISN] Security UPDATE -- So You Found a Security Problem, Now
What? -- June 29, 2005
InfoSec News
isn at c4i.org
Tue Jul 5 03:27:04 EDT 2005
Forwarded from: security curmudgeon <jericho at attrition.org>
Cc: mark at ntsecurity.net
: 1. In Focus: So You Found a Security Problem, Now What?
:
: ==== 1. In Focus: So You Found a Security Problem, Now What? ====
: by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
: When you find a security problem, what do you do? The obvious answer is
: to contact the company that produced the product. However, alerting a
: company to your discovery of a problem in one of its products can be a
: challenge. Lots of companies simply don't prepare for reports of
: problems in their products and services. Their employees don't know what
: to do when people try to report problems. Nor do their Web sites or
: product documentation provide any information about who to contact for
: security matters.
Worse, several companies go so far as to tell you that unless you have a
customer support contract ($$), then you can not open a ticket with them.
: Like many of you, I subscribe to a lot of security mailing lists. I
: can't even begin to remember the number of times I've read a message to
: one of those lists from someone asking how to contact a given company.
: The messages typically say something like, "I found a security problem
: in Product XYZ. I tried to contact the company via email and received no
: response. Does anybody have security contact info for the company?"
: The trend seems to be to establish a "security@" or possibly a "secure@"
: email address that people can use to report potential security problems.
: Vendors should consider establishing such an address, if they haven't
: already.
Tens of thousansd of sites do not maintain RFC addresses such as
postmaster@, hoping that all of these companies will use security@ may be
asking a lot. In fact, at least one large company seems to be retiring
this type of address.
Microsoft retiring abuse at microsoft.com
http://spamkings.oreilly.com/archives/2005/06/microsoft_retir.html
Until companies standardize and use these addresses, security researchers
can also use the Open Source Vulnerability Database vendor dictionary.
This was created to help alleviate this problem and provide a single
database with security contact information, knowledge base URLs and more.
Anyone is welcome to contribute information to the database, and we
especially hope vendors will do so.
http://osvdb.org/vendor_dict.php
More information about the ISN
mailing list