[Noisebridge-discuss] security people, can somebody walk me through this whole disclosure business?

Ken Adler ken.adler at gmail.com
Sun Jul 24 20:38:24 PDT 2011


Danny:

Suggest that you reach out to Dan Kaminsky <http://dankaminsky.com/bio/> (
dan at doxpara.com) .  I think he has actually stopped by NB in the past.

Dan is known in the industry as having executed one of the most responsible
disclosures of a major flaw to date.  Poor guy had to convince and
coordinate with all the tech giants.

Friendly guy, I am sure he could give you a few pointers as to how to
execute a responsible disclosure that is effective.

Regards

Ken

On Sat, Jul 23, 2011 at 11:33 PM, Danny O'Brien <danny at spesh.com> wrote:

> I've been able to deduce a fairly glaring security problem with a
> widely-available commercial product. Other users have found the same
> problem, and reported it to the company, but it sounds like they've
> sat on the problem for at least two months without pushing out a fix.
> (There's no cleverness here: it really didn't take me very long to
> work out a workable remote exploit from public information. It's a
> very clumsy mistake.)
>
> Can somebody who has been through this themselves walk me through the
> actual protocol to formally report this to the company (or gather
> evidence that they've been aware of the problem), and how to publicise
> it further through the correct channels?
>
> d.
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>



-- 
Ken Adler
510-290-5806 (cell)
Ken at adler.net
----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20110724/2a46532e/attachment.htm 


More information about the Noisebridge-discuss mailing list