Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Gmail Information Disclosure Vulnerability
From: Maarten <fulldisc () ultratux org>
Date: Mon, 5 Jul 2004 21:09:53 +0200

On Monday 05 July 2004 19:42, Eric LeBlanc wrote:
On Mon, 5 Jul 2004, System Outage wrote:

I agree with "System Outage".  Gmail clearly told us that their website is
in BETA stage.

Beta, alpha, released, yada yada.  Gmail is OPEN for the public, albeit you 
need "an invitation".  Thus, enough reason to disclose security holes.

For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
this software MAY HAVE security holes.  That's why they want us to test
this site before going to the public release, and it's our job to notify
to the gmail team all bugs AND security holes we may find.  As long as
this website is in beta stage, all advisory that someone may send in this
list or elsewhere are NOT considered 'Security Advisory' for me.

Hm.  By that standard, we could not ever disclose stuff about microsoft 
software.  Cause their stuff is indefinitely beta, hahaha.  ;-)

The original author may not receive answers from the Gmail Team, but this
site is NOT IN PRODUCTION.  When gmail site will be official and when this
bug is still there, NOW you can publish your security advisory.

So, the solution to having embarrassing security problems published is never 
declare the program "Released".  Can someone please tell microsoft? They'd be 
real interested to declare IE and Outlook beta-software forever in that case. 

Futhermore, the best people for testing the software (bugs and security
holes) is the public.  They can do many things which we will never
thought or imagined.

Well now, isn't this  e x a c t l y  what's happening here ?

BTW, I'm sure that the Gmail developers expect that the public will find
some security holes...

If we must publish all security advisorys about beta software, this list
will be flooded...

The very reason to HAVE a beta test phase is to find and flush out bugs early. 
Doing that, the released program can be as flawless as can be.  So when would 
you suggest disclosing bugs is a good time ? Release date being too late... 

Maarten

-- 
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]