Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISN] Security UPDATE -- So You Found a Security Problem, Now What?

from [InfoSec News] Network Security [Permanent Link]
Subject: Re: [ISN] Security UPDATE -- So You Found a Security Problem, Now What? -- June 29, 2005
Date: Tue, 5 Jul 2005 02:27:04 -0500 (CDT) 
Forwarded from: security curmudgeon <jericho@attrition.org>
Cc: mark@ntsecurity.net


: 1. In Focus: So You Found a Security Problem, Now What?
: 
: ==== 1. In Focus: So You Found a Security Problem, Now What? ====
:    by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

: When you find a security problem, what do you do? The obvious answer is 
: to contact the company that produced the product. However, alerting a 
: company to your discovery of a problem in one of its products can be a 
: challenge. Lots of companies simply don't prepare for reports of 
: problems in their products and services. Their employees don't know what 
: to do when people try to report problems. Nor do their Web sites or 
: product documentation provide any information about who to contact for 
: security matters.

Worse, several companies go so far as to tell you that unless you have a 
customer support contract ($$), then you can not open a ticket with them. 

: Like many of you, I subscribe to a lot of security mailing lists. I 
: can't even begin to remember the number of times I've read a message to 
: one of those lists from someone asking how to contact a given company. 
: The messages typically say something like, "I found a security problem 
: in Product XYZ. I tried to contact the company via email and received no 
: response. Does anybody have security contact info for the company?"

: The trend seems to be to establish a "security@" or possibly a "secure@" 
: email address that people can use to report potential security problems. 
: Vendors should consider establishing such an address, if they haven't 
: already.

Tens of thousansd of sites do not maintain RFC addresses such as 
postmaster@, hoping that all of these companies will use security@ may be 
asking a lot. In fact, at least one large company seems to be retiring 
this type of address. 

   Microsoft retiring abuse@microsoft.com
   http://spamkings.oreilly.com/archives/2005/06/microsoft_retir.html

Until companies standardize and use these addresses, security researchers 
can also use the Open Source Vulnerability Database vendor dictionary. 
This was created to help alleviate this problem and provide a single 
database with security contact information, knowledge base URLs and more. 
Anyone is welcome to contribute information to the database, and we 
especially hope vendors will do so.

   http://osvdb.org/vendor_dict.php



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [ISN] Security UPDATE -- So You Found a Security Problem, Now What? -- June 29, 2005, InfoSec News <=
Previous by Date:  [ISN] Indian Air Force gets ready for cyber warfare, InfoSec News
Next by Date:  [ISN] Linux Security Week - July 4th 2005, InfoSec News
Previous by Thread:  [ISN] Indian Air Force gets ready for cyber warfare, InfoSec News
Next by Thread:  [ISN] Linux Security Week - July 4th 2005, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]