On Tuesday, June 20, 2017 at 12:52:02 PM UTC-4, Lee wrote: > On 6/20/17, mfisch--- via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: > >> On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via > >> dev-security-policy wrote: > >> > If you should find such an issue again in a Cisco owned domain, please > >> > report it to ps...@cisco.com and we will ensure that prompt and proper > >> > actions are taken. > >> > >> I don't know, this way seems to have worked Just Fine. > >> > >> - Matt > > > > Does no-one else see the lack of responsible disclosure in this thread > > distressing? > > Nope. The first requirement for "responsible disclosure" is knowing > you're disclosing something. Take a look at the original msg: > -- I wasn't entirely sure whether this is considered a key compromise. I asked > -- Hanno Böck on Twitter (https://twitter.com/koenrh/status/873869275529957376 > -- <https://twitter.com/koenrh/status/873869275529957376>), and he advised me > to > -- post the matter to this mailing list. > <.. snip ..> > -- If this is indeed considered a key compromise, where do I go from > here, and what > -- are the recommended steps to take? > > If you want to argue that I should have replied with something about > sending the info to ps...@cisco.com instead of just forwarding the 1st > two messages in the thread to them.. yeah, maybe I should have done it > that way. > > > Instead -- this was posted to a public forum giving many thousands of people > > the opportunity to chain a vector attack against Cisco CCO IDs (which in > > some cases might lead to customer network compromise). > > I'm curious - how does one use a cert for drmlocal.cisco.com to chain > a vector attack against Cisco CCO IDs? > > Regards, > Lee
I think his complaint was in the fact that you laid out every single detail while simultaneously asking what you should do. I think you could have done without the vast detail and kept it very generic until you figured out who to contact, then let the vendors fix it. Moral of the story, if you have to ask if it's a disclosure, you are better safe than sorry and keeping the info under close wraps until you confirm it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
