Take a look here: http://www.oisafety.org/
OIS had guidelines used for "responsible disclosure" which is used within the software and security industry to address these kinds of issues. --brian On 4/17/07 4:02 AM, "Chris Drake" <[EMAIL PROTECTED]> wrote: > Hi gaz, > > I think we should adopt the "normal" full-disclosure approach here? > > As far as I know, there's a few different places who accept reported > vulnerabilities and "push them out" to registered vendors, who get a > time to poke at the problem, fix it, and then in due course, the (now > fixed) vulnerability gets published and the reporter gets the "fame" > for having found and helped improve everything. > > Does anyone know more about the mechanics of this process? While I'm > a subscriber to several of these reporting things for various system I > run, I've not actually *posted* a vulnerability before, let alone > worked out how to register a new product/service like OpenID. > > CERT is the best known place that I know of. > > Kind Regards, > Chris Drake > > > Tuesday, April 17, 2007, 7:26:20 PM, you wrote: > > ghc> -----BEGIN PGP SIGNED MESSAGE----- > ghc> Hash: SHA1 > > ghc> Hi all > > ghc> I have been thinking about 2 possible flaws with OpenID providers, > ghc> I haven't had time to test any of them however because I've started > ghc> work on another project. > > ghc> Now they might not even exist or they could possibly create huge > ghc> flaws in every provider worse case. I would like someone to test my > ghc> theories and see if the holes are possible to exploit. > > ghc> What do you think it the best policy here? Do you think it is safe > ghc> for me to publically dicuss this? > > ghc> Cheers > > ghc> Gareth > ghc> -----BEGIN PGP SIGNATURE----- > ghc> Note: This signature can be verified at > ghc> https://www.hushtools.com/verify > ghc> Version: Hush 2.5 > > ghc> wpwEAQECAAYFAkYkkkMACgkQrR8fg3y/m1CtSgP/Rn/9x6Syj2+h4Cig9Q7xckz10H2m > ghc> MwGyZ1CDMrFlQjR0tAeLA2PVspbm+FsxsJawd5xwDFye3r4dUo4FBHew+1DFpeENXkK9 > ghc> R+hzov+nWtDsyWD/KkGMNnJKhtk7Olg2I8A3I7wJk0W60L0FYJcPrkUoInHrk3vFl25z > ghc> SIY13Iw= > ghc> =gJCA > ghc> -----END PGP SIGNATURE----- > > ghc> -- > ghc> Click for dental plans with huge savings, top service and coverage > ghc> http://tagline.hushmail.com/fc/CAaCXv1KbKwI3IpjFWyPg3WhkB9IL5tz/ > > > ghc> _______________________________________________ > ghc> security mailing list > ghc> [email protected] > ghc> http://openid.net/mailman/listinfo/security > > > > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
