mailing list archives
RE: Whose X do I need to X to get on CERT?
From: "Matt Groves" <mgr () micromuse com>
Date: Wed, 20 Feb 2002 17:15:16 -0000
-----BEGIN PGP SIGNED MESSAGE-----
[Disclaimer, legal stuff, strictly my own personal opinions enclosed,
I can vouch for the method that I took - Call them and ask them to
open a ticket for you for tracking purposes, establish a secure
communication method with them with PGP, call them and get their Hex
PGP Fingerprint, and vice-versa, then send them a signed and
encrypted mail with the statement you want on behalf of your company.
I was extremely impressed with their responsiveness and we had our
little snippet on their web pages within 36 hours.
- -----Original Message-----
From: Jonathan G. Lampe [mailto:jonathan () stdnet com]
Sent: 19 February 2002 22:46
To: bugtraq () securityfocus com
Subject: Whose X do I need to X to get on CERT?
My company makes a product ("UniGate") which among other things is an
agent. When CERT's recent SNMP advisory came out
(http://www.cert.org/advisories/CA-2002-03.html), we reacted I think
any other responsible vendor should. I grabbed the various test
available and threw them against undefended internal test boxes while
engineering staff consulted the source code. It took us two full
get a handle on things, but by February 14th we had an advisory
for our customers. I mailed CERT a copy (you can see the text of
On its major advisories CERT advertises a "Vendor Information"
"details from vendors who have provided feedback for this advisory."
see the online doc has been updated several times a day since the
came out (18 times since I sent my first email), but after 4 emails
phone calls I'm still waiting for anything other than an automated
Has anyone else (particularly vendors) ever had problems getting CERT
post stuff, or even acknowledge your presence? Is there an
"pay-to-play" thing going on here which has escaped my notice? Am I
talking to the wrong people? Anyone? Buehler?
TIA, Jonathan Lampe, GCIA, GSNA, etc.
P.S. Here's where I sent copies of the letter (give it another shot
2 days or so...):
cert () cert org SUBJ: VU#617947
cert () cert org SUBJ: CA-2002-03 Feedback VU#617947 cert () cert org
SUBJ: Yet Another Vendor entry for CA-2002-03
412-268-7090 (Feb 15 and Feb 18)
(On a Friday phone calls, the guy ack'ed receipt of at least one of
email messages - said "call back on Monday".)
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
-----END PGP SIGNATURE-----