mailing list archives
Re: Gmail Information Disclosure Vulnerability
From: System Outage <system_outage () yahoo com>
Date: Mon, 5 Jul 2004 12:07:33 -0700 (PDT)
I fully agree with you on this topic. I found it hard to believe users were posting advisories for Gmail before public
release. In my view all issues should be directed to Gmail and if the user wishes to use lists, such as FD. The user
should wait until the service is available to the public and then, perhaps, send it to FD for discussion.
The user could also state the discovery date and various other timeline dates, to give the user some better
acknowledgement in the advisory. This will prove (If the user wishes it to be known) they did find the hole at the Beta
stage and that Gmail let it slip through the net.
I suspect -alot- of vulnerabilities will come to light of the week that Gmail makes the service public. I think alot of
users are holding back until then, I maybe wrong though.
Eric LeBlanc <inouk () igt net> wrote:
I agree with "System Outage". Gmail clearly told us that their website is
in BETA stage.
For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
this software MAY HAVE security holes. That's why they want us to test
this site before going to the public release, and it's our job to notify
to the gmail team all bugs AND security holes we may find. As long as
this website is in beta stage, all advisory that someone may send in this
list or elsewhere are NOT considered 'Security Advisory' for me.
The original author may not receive answers from the Gmail Team, but this
site is NOT IN PRODUCTION. When gmail site will be official and when this
bug is still there, NOW you can publish your security advisory.
Futhermore, the best people for testing the software (bugs and security
holes) is the public. They can do many things which we will never
thought or imagined.
BTW, I'm sure that the Gmail developers expect that the public will find
some security holes...
If we must publish all security advisorys about beta software, this list
will be flooded...
inouk () igt net
UNIX is user friendly.
It's just selective about who its friends are.
Full-Disclosure - We believe in it.
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
- Re: Gmail Information Disclosure Vulnerability, (continued)