Hi, On Sun, May 06, 2007 at 05:45:45PM +0200, shadown wrote: > 2- There are some vendors that are really dificult to deal with. It took me > about 4 months to get the right contact to report the bugs, and this would > be another think to think about, A public 'Vendor's Vulnerability Reporting > Contact DB/List'. That would definitely be helpful, the situation sounds familiar ...
> The main mailling list should create a 'Vulnerabilities Hashes mailing list' > where the researches comunity can send the hashes of the PoC files just > before they conctact the vendors. That way if the vendors do not give the > proper credits to the researchers, at least the researches will have another > proof to show that they were the ones that reported the vulnerabilities, and > not just the mails they've crossed with the vendors. You should have a look at the (free) PGP Digital Timestamping Service at http://www.itconsult.co.uk/stamper/stampinf.htm. No need to reinvent the wheel there, it's been alive for about 12 years now and will timestamp and PGP sign anything you send it, including hashes. HTH, Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
