[Noisebridge-discuss] security people, can somebody walk me through this whole disclosure business?
ken.adler at gmail.com
Sun Jul 24 20:38:24 PDT 2011
Suggest that you reach out to Dan Kaminsky <http://dankaminsky.com/bio/> (
dan at doxpara.com) . I think he has actually stopped by NB in the past.
Dan is known in the industry as having executed one of the most responsible
disclosures of a major flaw to date. Poor guy had to convince and
coordinate with all the tech giants.
Friendly guy, I am sure he could give you a few pointers as to how to
execute a responsible disclosure that is effective.
On Sat, Jul 23, 2011 at 11:33 PM, Danny O'Brien <danny at spesh.com> wrote:
> I've been able to deduce a fairly glaring security problem with a
> widely-available commercial product. Other users have found the same
> problem, and reported it to the company, but it sounds like they've
> sat on the problem for at least two months without pushing out a fix.
> (There's no cleverness here: it really didn't take me very long to
> work out a workable remote exploit from public information. It's a
> very clumsy mistake.)
> Can somebody who has been through this themselves walk me through the
> actual protocol to formally report this to the company (or gather
> evidence that they've been aware of the problem), and how to publicise
> it further through the correct channels?
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
Ken at adler.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Noisebridge-discuss