Full Disclosure: Re: Fw: Earth to Facebook

Re: Fw: Earth to Facebook

From: upsploit advisories <upsploitadvisories () upsploit com>
Date: Sun, 18 Mar 2012 21:27:16 +0000

We don't just send the initial advisory... I guess I need to make the
website slightly more informative!

After the initial contact we have (currently) a 6 month disclosure policy.

We send an email every month, in the final month once a week and in the
final week once a day. This email is automatically generated and includes
information about how long is left, how many emails we have sent etc.

Please note that the 6 months is being changed to 1 month without contact 3
month fix (case by case) in the near future.

Thanks

On 18 March 2012 21:24, Thor (Hammer of God) <thor () hammerofgod com> wrote:

 Why not just provide them with the contact and they can forward it on
directly?  Then you could obviate the entire trust issue…****

** **

t****

** **

*From:* full-disclosure-bounces () lists grok org uk [mailto:
full-disclosure-bounces () lists grok org uk] *On Behalf Of *upsploit
advisories
*Sent:* Sunday, March 18, 2012 1:56 PM
*To:* Michal Zalewski
*Cc:* full-disclosure () lists grok org uk

*Subject:* Re: [Full-disclosure] Fw: Earth to Facebook****

 ** **

The only other people that see the vulnerability are the select few in
upSploit.****

** **

However if the vendor is already in the upSploit database the advisory
gets submitted straight away to the vendor.****

** **

If you want to try it out there should be an upSploit vendor in the vendor
list. Submit some advisories there.****

** **

There is no ploy - like anything it is about trust. I created the service
because when I first started I found it hard to find contacts sometimes.
Use it if you want, don't if you don't. Simple as that really!****

** **

Use it once for something you may not care about to much and see how it
works for you.****

** **

Thanks,****

** **

On 18 March 2012 20:22, Michal Zalewski <lcamtuf () coredump cx> wrote:****

Without meaning to advertise, that is one of the reasons upSploit was
created - so that you could submit a vulnerability and then upSploit
automatically sends to the vendor. This way you and your friend don't

have

to do any of the work on the disclosure.****


I clicked around and don't see any obvious explanation; other than the
reporter and the vendor, who else gets to see the submissions and
under what circumstances?

/mz****

** **

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Earth to Facebook J. Oquendo (Mar 15)
- Re: Earth to Facebook crazy frog crazy frog (Mar 18)
- Re: Earth to Facebook Ferenc Kovacs (Mar 18)
  - Re: Earth to Facebook Jeffrey Walton (Mar 18)
    - Re: Earth to Facebook Zach C. (Mar 18)
- <Possible follow-ups>
- Re: Fw: Earth to Facebook upsploit advisories (Mar 18)
  - Re: Fw: Earth to Facebook Michal Zalewski (Mar 18)
    - Re: Fw: Earth to Facebook upsploit advisories (Mar 18)
    - Re: Fw: Earth to Facebook Thor (Hammer of God) (Mar 18)
    - Re: Fw: Earth to Facebook upsploit advisories (Mar 18)
    - Re: Fw: Earth to Facebook Michal Zalewski (Mar 19)