Bugtraq mailing list archives

Re: SAP Security Contact

From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Fri, 05 Jan 2007 14:39:12 -0800


You guys might want to put that on your web site.  Probably somewhere under
"Contact Us" so that it is easy to, um, contact you specifically for
security issues.

Had it been someone other than Mark Litchfield or NGSSoftware who found the
unauthenticated remote vulnerability allowing for arbitrary code execution
in the SYSTEM context, they may very well have become frustrated with the
lack of contact info and the "you must mail this to the office" bit and seen
fit to just publish vulnerability details.

Something like security () sap com may seem obvious, but it's better if you
list specific contact info so it can be easily found.

t




On 1/5/07 6:41 AM, "Fritz.Bauspiess () sap com" <Fritz.Bauspiess () sap com>
spoketh to all:

The contact email address is <security sap com>. Security issues will then be
handled by our Security Response Team in direct communication with the
reporter of the issues.

Kind regards,
Fritz Bauspiess, SAP NetWeaver Product Management Security

Current thread:

SAP Security Contact Mark Litchfield (Jan 04)
- <Possible follow-ups>
- Re: SAP Security Contact Fritz . Bauspiess (Jan 05)
- Re: SAP Security Contact Thor (Hammer of God) (Jan 06)
  - Re: SAP Security Contact Ansgar -59cobalt- Wiechers (Jan 08)
  - Re: SAP Security Contact Nicob (Jan 08)
    - Re: SAP Security Contact Stan Bubrouski (Jan 09)
    - Re: SAP Security Contact Nick Boyce (Jan 10)
    - Re: SAP Security Contact Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Jan 11)
- Re: SAP Security Contact Thor (Hammer of God) (Jan 10)