Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Gmail Information Disclosure Vulnerability
From: System Outage <system_outage () yahoo com>
Date: Mon, 5 Jul 2004 12:07:33 -0700 (PDT)

I fully agree with you on this topic. I found it hard to believe users were posting advisories for Gmail before public 
release. In my view all issues should be directed to Gmail and if the user wishes to use lists, such as FD. The user 
should wait until the service is available to the public and then, perhaps, send it to FD for discussion. 
The user could also state the discovery date and various other timeline dates, to give the user some better 
acknowledgement in the advisory. This will prove (If the user wishes it to be known) they did find the hole at the Beta 
stage and that Gmail let it slip through the net.
I suspect -alot- of vulnerabilities will come to light of the week that Gmail makes the service public. I think alot of 
users are holding back until then, I maybe wrong though.

Eric LeBlanc <inouk () igt net> wrote:
I agree with "System Outage". Gmail clearly told us that their website is
in BETA stage.

For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
this software MAY HAVE security holes. That's why they want us to test
this site before going to the public release, and it's our job to notify
to the gmail team all bugs AND security holes we may find. As long as
this website is in beta stage, all advisory that someone may send in this
list or elsewhere are NOT considered 'Security Advisory' for me.

The original author may not receive answers from the Gmail Team, but this
site is NOT IN PRODUCTION. When gmail site will be official and when this
bug is still there, NOW you can publish your security advisory.

Futhermore, the best people for testing the software (bugs and security
holes) is the public. They can do many things which we will never
thought or imagined.

BTW, I'm sure that the Gmail developers expect that the public will find
some security holes...

If we must publish all security advisorys about beta software, this list
will be flooded...

Eric LeBlanc
inouk () igt net
UNIX is user friendly.
It's just selective about who its friends are.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]