[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Fw: Earth to Facebook
- To: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Fw: Earth to Facebook
- From: upsploit advisories <upsploitadvisories@xxxxxxxxxxxx>
- Date: Sun, 18 Mar 2012 21:27:16 +0000
We don't just send the initial advisory... I guess I need to make the
website slightly more informative!
After the initial contact we have (currently) a 6 month disclosure policy.
We send an email every month, in the final month once a week and in the
final week once a day. This email is automatically generated and includes
information about how long is left, how many emails we have sent etc.
Please note that the 6 months is being changed to 1 month without contact 3
month fix (case by case) in the near future.
Thanks
On 18 March 2012 21:24, Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx> wrote:
> Why not just provide them with the contact and they can forward it on
> directly? Then you could obviate the entire trust issue…****
>
> ** **
>
> t****
>
> ** **
>
> *From:* full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:
> full-disclosure-bounces@xxxxxxxxxxxxxxxxx] *On Behalf Of *upsploit
> advisories
> *Sent:* Sunday, March 18, 2012 1:56 PM
> *To:* Michal Zalewski
> *Cc:* full-disclosure@xxxxxxxxxxxxxxxxx
>
> *Subject:* Re: [Full-disclosure] Fw: Earth to Facebook****
>
> ** **
>
> The only other people that see the vulnerability are the select few in
> upSploit.****
>
> ** **
>
> However if the vendor is already in the upSploit database the advisory
> gets submitted straight away to the vendor.****
>
> ** **
>
> If you want to try it out there should be an upSploit vendor in the vendor
> list. Submit some advisories there.****
>
> ** **
>
> There is no ploy - like anything it is about trust. I created the service
> because when I first started I found it hard to find contacts sometimes.
> Use it if you want, don't if you don't. Simple as that really!****
>
> ** **
>
> Use it once for something you may not care about to much and see how it
> works for you.****
>
> ** **
>
> Thanks,****
>
> ** **
>
> On 18 March 2012 20:22, Michal Zalewski <lcamtuf@xxxxxxxxxxx> wrote:****
>
> > Without meaning to advertise, that is one of the reasons upSploit was
> > created - so that you could submit a vulnerability and then upSploit
> > automatically sends to the vendor. This way you and your friend don't
> have
> > to do any of the work on the disclosure.****
>
> I clicked around and don't see any obvious explanation; other than the
> reporter and the vendor, who else gets to see the submissions and
> under what circumstances?
>
> /mz****
>
> ** **
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/