[security] 2 possible flaws

Brian Hernacki brian_hernacki at symantec.com
Tue Apr 17 18:08:08 UTC 2007 

Take a look here: http://www.oisafety.org/

OIS had guidelines used for "responsible disclosure" which is used within
the software and security industry to address these kinds of issues.

--brian


On 4/17/07 4:02 AM, "Chris Drake" <christopher at pobox.com> wrote:

> Hi gaz,
> 
> I think we should adopt the "normal" full-disclosure approach here?
> 
> As far as I know, there's a few different places who accept reported
> vulnerabilities and "push them out" to registered vendors, who get a
> time to poke at the problem, fix it, and then in due course, the (now
> fixed) vulnerability gets published and the reporter gets the "fame"
> for having found and helped improve everything.
> 
> Does anyone know more about the mechanics of this process?  While I'm
> a subscriber to several of these reporting things for various system I
> run, I've not actually *posted* a vulnerability before, let alone
> worked out how to register a new product/service like OpenID.
> 
> CERT is the best known place that I know of.
> 
> Kind Regards,
> Chris Drake
> 
> 
> Tuesday, April 17, 2007, 7:26:20 PM, you wrote:
> 
> ghc> -----BEGIN PGP SIGNED MESSAGE-----
> ghc> Hash: SHA1
> 
> ghc> Hi all
> 
> ghc> I have been thinking about 2 possible flaws with OpenID providers,
> ghc> I haven't had time to test any of them however because I've started
> ghc> work on another project.
> 
> ghc> Now they might not even exist or they could possibly create huge
> ghc> flaws in every provider worse case. I would like someone to test my
> ghc> theories and see if the holes are possible to exploit.
> 
> ghc> What do you think it the best policy here? Do you think it is safe
> ghc> for me to publically dicuss this?
> 
> ghc> Cheers
> 
> ghc> Gareth
> ghc> -----BEGIN PGP SIGNATURE-----
> ghc> Note: This signature can be verified at
> ghc> https://www.hushtools.com/verify
> ghc> Version: Hush 2.5
> 
> ghc> wpwEAQECAAYFAkYkkkMACgkQrR8fg3y/m1CtSgP/Rn/9x6Syj2+h4Cig9Q7xckz10H2m
> ghc> MwGyZ1CDMrFlQjR0tAeLA2PVspbm+FsxsJawd5xwDFye3r4dUo4FBHew+1DFpeENXkK9
> ghc> R+hzov+nWtDsyWD/KkGMNnJKhtk7Olg2I8A3I7wJk0W60L0FYJcPrkUoInHrk3vFl25z
> ghc> SIY13Iw=
> ghc> =gJCA
> ghc> -----END PGP SIGNATURE-----
> 
> ghc> --
> ghc> Click for dental plans with huge savings, top service and coverage
> ghc> http://tagline.hushmail.com/fc/CAaCXv1KbKwI3IpjFWyPg3WhkB9IL5tz/
> 
> 
> ghc> _______________________________________________
> ghc> security mailing list
> ghc> security at openid.net
> ghc> http://openid.net/mailman/listinfo/security
> 
> 
> 
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security

More information about the security mailing list