Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception

Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception

From: exon <exon_at_home.se>
Date: Mon, 29 Nov 2004 10:24:24 +0100

Jose Nazario wrote:
> On Thu, 25 Nov 2004, Heikki Toivonen wrote:
>
>
>>3. Either login if you already have an account, or click "create new
>>account". Let's assume we need to create a new account...
>>4. Type in a valid email address and click "Create Account"
>>5. [mail] Read email that was sent to the address to get password
>>6. back on in the browser, click "log in here"
>>7. fill in your username and password and click "login"
>
>
> [snip the rest of useful info on how to post good, healthy, actionable bug
> reports]
>
> requiring someone to register to post a bug is harmful in the sense that
> you wind up turning off peopl ewho simply can't be bothered to fill out
> that info or wish to remain anonymous.

Hence the security_at_mozilla.org address.

If you are anxious to get the bug fixed you have the option of filling
out the form and thereby making yourself available for further
questions, getting email with bug updates and the ability to submit
coredumps and whatnot.

If you're not so anxious you can simply send in an email and be content
with having let them know about it. Firefox still has the benefit of
running on a multitude of platforms and architectures. Someone trying to
exploit a vulnerability in it (as opposed to just crashing it) would
have to know both to be successful.

> while i definitely see the benefit
> of forcing registration or even wanting it, i bet you'e losing more bug
> reports than you care to imagine this way.
>

Perhaps the problem lies in the fact that the mozilla coders want people
to use the forum so they don't promote the security_at_mozilla.org mail
address enough?

> benefits of forcing/encouraging registration include:
> - garaunteed line of followup
> - reduced spam quantities in bugzilla
> - at leasta cutofof "i care enough to ..."
>
> still, you're losing more than you may expect. i know i've failed to file
> bug reports (non-security related) for mozilla products due to this "speed
> bump". the security@ route is useful, and i'm glad you pointed it out.
> this point should be considered by anyone who runs a bug reporting page
> for open submissions, you may be doing more harm than benefit.
>
Received on Nov 29 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos