How to Report a Securiyt Vulnerability to Microsoft

[jamie fisher <contact_jamie_fisher () yahoo co uk>]

Hi...  For what it is worth I wanted to wade into this discussion pool.  Recently I found a BO at rad.msn.com and 
published it to Full Disclosure but not without first contacting Microsoft with my findings.  As it transpires I had 
sent my findings to the wrong email address.  To cut an uninteresting story short, through an itterative process 
Microsoft and I worked together (no money involved - and I shouldn't think so either) to understand and resolve the 
issue.  Suprisingly I found the people at Microsoft very friendly; the sort of people I'd probably have a pint with at 
the pub on the weekend.
 
Personally I'm vendor OS agnostic, i.e., I dont give a rats arse as to whether you're alligned with Linux, IBM, VMS, 
Microsoft or Mr Crappy's OS.  As a security consultant, and with politics out of the way my only interest is whether 
the OS or product can be secured well.  In terms of my experience in finding security vulns and flaws in code I'm quite 
green, but I do know that it is essential for me to foster a good working relationship with vendors if I am to be 
anything other than a 'here is my big whoopie security vuln: fUx to M$' type of security consultant.
 
Perhaps Microsoft genuinely thought it about time another anouncement was sent to FD to keep the education process from 
stalling.  Personally I think they're doing a stellar job!

Send instant messages to your online friends http://uk.messenger.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/