-----Original Message-----
From: Ron DuFresne [mailto:dufresne () winternet com]
Sent: Wednesday, November 06, 2002 3:39 PM
To: Steven M. Christey
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] Re: Oracle Security Contact
Many ISP's and some corps now list an abuse@ address in their
domain info. sure would be nice to see vendors also include
such security@ contact addresses in their domain info, rather
then make folks hunt and seek such critical information all
over the web.
Thanks,
Ron DuFresne
On Tue, 5 Nov 2002, Steven M. Christey wrote:
On the full-disclosure list, low halo asked:
Could someone please give me the security contact address
for Oracle
Corporation? It seems as though their marketing department's
"Unbreakable" slogan makes them think that its OK to bury their
security advisories & contact info deep within their site
somewhere.
It's not immediately obvious when navigating from the
www.oracle.com
home page, but it's listed at:
http://otn.oracle.com/deploy/security/alerts.htm
secalert_us () oracle com
I found this by doing a site search on "vulnerability,"
which led me
to the advisory page.
Very few vendor home pages (open/closed source, freeware or
not) seem
to make it easy to find a security contact, or advisory
page, from the
home page.
Here's a quick look I just did from the home pages of
various software
providers. Your Mileage May Vary.
from www.microsoft.com: click on "Security" in the resources menu,
click on "more bulletins and patches," go to "contact Microsoft
security"
from www.redhat.com: there's no "security" link on the
front page. The
"community resources" menu does not mention a security link. The
"support & docs" link asks for user registration, but there's an
"errata" menu on the left hand side. This gets us to a "security
alerts" page but I don't see any security POC's there. There's a
"Bugzilla" link on the left hand menu, but this leads to the
bugzilla.redhat.com web site, which requires registration.
The online
security advisories don't seem to list a security contact. The
advisories, when posted to Bugtraq, come from
bugzilla () redhat com and
not some security-specific email address. But the advisory
does list
a PGP key at http://www.redhat.com/about/contact/pgpkey.html, which
suggests that a security () redhat com address is available.
On this PGP
key page, there's a "Red Hat Security Resource Center" menu
along with
a "Security Contacts and Procedures" option. Then I see
that this was
under the "Enterprise Solutions" web page, which could have
been found
from the www.redhat.com home page had I clicked on the "Enterprise
Solutions" link instead of the "Support & Docs" link.
from www.suse.de: click "security announcements" and the security
contact is near the top of the page
from www.debian.com: click "security information" which
links to the
"Debian security FAQ" which has a "How can I reach the
security team?"
question which points to security () debian org
from www.sun.com: I have two main nagivation options,
"solutions" or
"support & training." I'll try "solutions" since that would have
worked for Red Hat. There's a "security" option under "Consulting
Services" but that's for, well, their consulting services. But
there's a "Related Links" whose first item is "Security"
which gets us
to the main security page, and its first link is for the security
bulletins, which lists security-alert () sun com
from www.novell.com: I gasp and reluctantly allow the
ActiveX control
to run, although IE isn't telling me which control I'm allowing. I
try a text search for "secur" [security, secure] which
seems to find
something, but it's not highlighted in my browser so I can't tell.
Emboldened by previous "Solutions" successes, I go there first, but
this time no luck. The "support" menu doesn't include a security
sub-item but I click it anyway and find the Novell security alerts
page, which includes a form I can use to submit bugs.
from www.mandrake.com: I get redirected to
www.linux-mandrake.com and
go to the Security Updates link, which has the
security () linux-mandrake com address.
from www.openbsd.org: I click on the "Security" link and the
"Reporting problems" section points to deraadt () openbsd org
from www.cisco.com: a "secur" search has similar issues that I had
with www.novell.com (i.e. it's somewhere in the page but I
can't find
it), though it does show up in a "Networking Solutions &
Provisioned
Services" item. I click on that and get a big Javascript
menu with a
security option (maybe that was one of the search
matches?), so I go
there, but the page is for various security solutions and not a
security contact. I use a drop-down menu to go to tech support,
search for "secur" and get the SNMP advisory. I notice a "Contact
PSIRT" reference but for the sake of experimentation I'll pretend I
don't know what PSIRT means, I'm looking for "security"
people. So I
go to the SNMP security advisory, which has a "Cisco Security
Procedures" section, which then gets me to the PSIRT page and the
security-alert () cisco com / psirt () cisco com addresses.
from www.freebsd.org: click on "Security" and the first
section brings
us to security-officer () FreeBSD org
from www.hp.com: no matches on "secur". I try "support and
drivers"
and then "HP technical support." There's a "security" option under
software, which brings me to a page that tells me how I can
"receive
security bulletins by email," which isn't quite what I'm
looking for
but close enough. This tells me I have to go to the "HP IT
Resource
Center" web site, register, then log in... but I'm not
really in the
mood to register right now, I've already got enough web accounts to
manage. I just happen to notice a small "security" link on
the top of
the page that hasn't been visited before, so I go there
(http://www.hp.com/security/index.html). There are some drop-down
menus including particular product categories, so I'll just pick
"hp-ux" software. This lists various security products but no
security contacts or promising links. I try "all hp
internet security
products and technologies" but that gets me back to a page I've
already seen. I try the "contact hp" link, which gets me to
http://thenew.hp.com/country/us/eng/contact_us.html. The main page
doesn't immediately grab me, but the left hand menu says "report a
software security issue" and I click on it. This points me to
security-alert () hp com
from www.mozilla.org: see
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0095.html
In short, the ease with which security contacts can be found varies
from site to site, and individual to individual. There are many
different "reasonable" paths that somebody might take in finding a
security contact.
Software providers who wish to simplify vulnerability
notification can
address some of this with prominent links from all of these pages:
- security pages (both the "solutions" and advisory pages)
- the advisories themselves
- tech support
- the "contact us" page.
- Steve
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in
humanity. It eliminates dreams, goals, and ideals and lets
us get straight to the business of hate, debauchery, and
self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Intro
