On Tue, Mar 16, 2004 at 10:16:29PM +1100, Gottfried Szing wrote:
> if someone finds a security hole in a web application and wants to
> notifiy the admin of the page, what do you suggest are the next steps wo
> be taken to ensure that the admin takes the report seriously?
Inform the admin. Give an *exact* problem report, with a recipe for
reproduction. Explain what you believe the ramifications are. You can
mention what you intend to do after this ("in 14 days I will report this
problem to Bugtraq unless you contact me to discuss an extension") but you
have to make very sure it doesn't look like a threat or blackmail or
anything. Ensure you've provided good contact details for yourself.
If it's OSS, create a minimal patch which fixes the problem, and include
that.
> i mean, just sending the report without description about further steps
> (publication after some time, ...) is not really helpful. most of the
> reports will be ignored or simply "forgotten".
Any admin who ignores security-related vulnerabilities needs to be shot.
Just find the IP range they're responsible for and null-route it. Much
easier in the long run.
> does someone have a link to a page or can give me some suggestions?
I'm sure bugtraq and fulldisclosure would have information on usefully
reporting security vulnerabilities, but I couldn't give you exact URLs.
- Matt
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
