Dailydave mailing list archives
Re: Moot choices, a sort of DD media party
From: Aviram Jenik <aviram () beyondsecurity com>
Date: Sat, 2 Jul 2005 11:48:56 +0300
On Friday 01 July 2005 18:31, Rodney Thayer wrote:
What do you do when you find an exploit in a protocol spec? Do you disclose it to the standards body? Do you tell the vendor? Do you simply announce it? If you tell the vendor, is it ok for the vendor to choose to ignore you because they've faithfully implemented the standard and it's Not Their Problem?
A while ago we found a problem in the SMTP standard ("SMTP fragmentation") that allowed SMTP gateway bypassing in a way similar to TCP fragmentation: http://www.securiteam.com/securitynews/5YP0A0K8CM.html We decided the right thing to do was to contact all the relevant vendors we could find in addition to CERT, and hope for the best. We were actually surprised for the better - one vendor already knew about the problem and fixed their products long ago. Other vendors fixed their products within the timeframe we agreed on, and none of the vendors we talked to claimed it was an SMTP problem and not theirs. The nice thing about contacting CERT is that when vendors we didn't contact (because they weren't on our radar or we couldn't the proper contact information) complained, we referred them directly to CERT. - Aviram _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Moot choices, a sort of DD media party Dave Aitel (Jul 01)
- <Possible follow-ups>
- RE: Moot choices, a sort of DD media party Aleksander P. Czarnowski (Jul 01)
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Message not available
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Re: Moot choices, a sort of DD media party Aviram Jenik (Jul 02)
- Re: Re: Moot choices, a sort of DD media party Florian Weimer (Jul 02)
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Re: Moot choices, a sort of DD media party Florian Weimer (Jul 02)
- RE: Moot choices, a sort of DD media party Cesar (Jul 01)
- Re: Moot choices, a sort of DD media party Matt Hargett (Jul 01)