Full disclosure... True. Nobody is taking issue with the content, just the timing.
10 days is an unreal expectation. Though 10 days may feel like a long time to you sir, it whizez by inside of a growth company such as Google. This type of disclosure is where the motivation for OIS comes from. I am not saying I agree with the OIS 'partner' agendas or their execution- though there is some genuine interest in setting basic guidelines based on industry experiance, not regulating research or its biproducts (imho not gunna happen). So where is the middle ground as it applies to research. Cheers, Geoff Shively Chief Scientist, Founder PivX Solutions, Inc. 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Ticker: PIVX.OB Mobile: 949.903.8856 -----Original Message----- From: Tremaine <[EMAIL PROTECTED]> To: System Outage <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Sent: Mon Jul 05 07:46:16 2004 Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability It's about posting security advisories. The initial poster advises they notified the gmail team, and posted this advisory 10 days later. It is immaterial whether an application is in alpha, beta or production. If the software or application is in use outside the development team, and there is a security issue, it is relevant to this list. It's called Full Disclosure for a reason... not partial disclosure, not disclosure of production applications only... Full Disclosure. If you want partial disclosure, you may need to rethink your subscription to the list. -- Tremaine IT Security Consultant ----- Original Message ----- From: System Outage <[EMAIL PROTECTED]> Date: Mon, 5 Jul 2004 06:46:42 -0700 (PDT) Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability To: [EMAIL PROTECTED] If it's not about respect then what is it about? You have no respect for the Gmail Team, that's for sure. I guess this list isn't about respect... It's about kiddies posting advisories and exploits for fun and little care for the vendor(s). Cheerio [EMAIL PROTECTED] wrote: System Outage wrote: |The correct channel to post such "bugs" is the Gmail contact link for "bug |reports". I have already contacted Gmail about 10 days ago, but I have not received any replies till this moment. |If you had waited until the Gmail dev team declared gmail a public release, |you would have gained more respect in the security community scene. I don't think this is about respect afterall. Regards, Ahmed Motaz ------------------------------------------------------ Mailsurf.com your communication portal for SMS, Email, Fax, E-Cards and more. www.mailsurf.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
