Vulnerability Disclosure and CVE assign

[Alphan YAVAS]

I. VULNERABILITY
-
Reflected XSS due to lack of input filtering in MicroStrategy Library

II. CVE REFERENCE
-
CVE-2019-18957

III. VENDOR
-
https://www.microstrategy.com/

IV. TIMELINE
-
05/07/2019 Vulnerability discovered
06/07/2019 Vendor contacted
06/09/2018 MicroStrategy Fix the vulnerability at the release V11.1.3

V. CREDIT
-
Alphan Yavas from Biznet Bilisim A.S.

VI. DESCRIPTION
-
Reflected XSS due to lack of input filtering in MicroStrategy Library
(before 11.1.3) which allow a remote attacker to conduct reflected
cross-site scripting attacks.

Vulnerability Disclosure

[Alphan YAVAS]

I. VULNERABILITY
-
Reflected XSS due to lack of input filtering in MicroStrategy Library

II. CVE REFERENCE
-
Not Assigned yet

III. VENDOR
-
https://www.microstrategy.com/

IV. TIMELINE
-
05/07/2019 Vulnerability discovered
06/07/2019 Vendor contacted
06/09/2018 MicroStrategy Fix the vulnerability at the release V11.1.3

V. CREDIT
-
Alphan Yavas from Biznet Bilisim A.S.

VI. DESCRIPTION
-
Reflected XSS due to lack of input filtering in MicroStrategy Library
(before 11.1.3) which allow a remote attacker to conduct reflected
cross-site scripting attacks.

Vulnerability Disclosure (Web Apps)-Bravo Tejari Web Portal-Unrestricted File Upload

[Arvind Vishwakarma]

--
Vulnerability Type: Unrestricted File Upload
Vendor of Product: Tejari
Affected Product Code Base: Bravo Solution
Affected Component: Web Interface Management.
Attack Type: Local - Authenticated
Impact: Malicous File Upload
-

Product description:
Brao Tejari is a strategic procurement platform that enables
organizations to generate more value, influence innovation and reduce
risk powered by a unique supplier-centered approach that integrates
supplier lifetime value throughout the entire procurement process

Attack Scenario:
The Web Interface of the Bravo Tejari procurement portal does not use
perform server-side check on uploaded files. An attacker who has
access to the application can bypass client-side checks and uploads
malicious executable, pdf's and web-shells on the web-server.

Affected Product Link:
https://xx..com/esop/evm/OPPreliminaryForms.do?formId=857

Impact:
The uploaded files are not properly validated by the application. An
attacker can take advantage of this vulnerability and upload malicious
executable files to compromise the application.

Recommendation:
All uploaded files must be validated on both the client and server
side before storing them on the server.


Credit: Arvind Vishwakarma
http://ultimateone1.blogspot.ae/

Vulnerability Timeline:

12th December 2017 – Vulnerability Discovered
23rd December 2017 – Contacted Vendor – No Response
7th January 2018 – Contacted Vendor again – No Response
15th February 2018 – Vulnerability Disclosed

Vulnerability Disclosure (Web Apps)-Bravo Tejari Web Portal-CSRF

[Arvind Vishwakarma]

-
Vulnerability Type: Cross Site Request Forgery (CSRF)
Vendor of Product: Tejari
Affected Product Code Base: Bravo Solution
Affected Component: Web Interface Management.
Attack Type: Local - Authenticated
Impact: Unauthorised Access
--

Product description:
Bravo Tejari is a strategic procurement platform that enables
organizations to generate more value, influence innovation and reduce
risk powered by a unique supplier-centered approach that integrates
supplier lifetime value throughout the entire procurement process

Attack Scenario:
The Web Interface of the Bravo Tejari procurement portal does not use
random tokens to block any kind of forged requests. An atacker can
take advantage of this scenario and create a forged request to edit
user account details like name, address of the company/individual,
email address etc. He then uses social engineering techniques to
target specific individuals whose account details he would like to
change. He simply sends the link and tricks the user into clicking the
forged http request. The request is executed and user account details
are changed without his knowledge.

Proof of Concept Code:
Forged HTTP Request used by the attacker:



https://..com/esop/toolkit/profile/regData.do;
method="POST">
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

  



Impact:
The affected product is a procurement portal and so all communication
regarding the contract lifecycle process is sent to user details
provided on the portal. If this vulnerability is sucessfully
exploited, the attacker will be able to change these details which
will potentially affect the victim's business.

Recommendation:
Ensure that all sensitive CRUD Operations are appropriately protected
with random tokens. Alternatively, the sensitive operations should
also have an authentication layer to confirm user verification.


Credit: Arvind Vishwakarma
http://ultimateone1.blogspot.ae/



Vulnerability Timeline:
12th December 2017 – Vulnerability Discovered
23rd December 2017 – Contacted Vendor – No Response
7th January 2018 – Contacted Vendor again – No Response
15th February 2018 – Vulnerability Disclosed

Ellucian Banner Student Vulnerability Disclosure

[sean . dillon]

Previous CVEs for Banner Student were filed under vendor SunGard. All 
vulnerabilities are fixed in patch pcr-000134142_bws8070102, in latest version 
of the product (8.7.1.2) as of November 26, 2015.

-

Product: Banner Student
Vendor: Ellucian Company L.P.
Vulnerable Version: 8.5.1.2 - 8.7
Tested Version: 8.7
Vendor Notification: June 18, 2015
Public Disclosure: December 2, 2015
Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect') 
[CWE-601]
CVE Reference: CVE-2015-5054
Risk Level: Medium
CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSSv3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Mitigation: None, Upgrade to 8.7.1.2
Discovered and Provided: RiskSense, Inc.

Advisory Details:

Open Redirect in Ellucian Banner Student: CVE-2015-5054

A user can be redirected to a malicious page when a link is clicked from a 
crafted URL.

References:

[1] Ellucian Company L.P. - http://www.ellucian.com/
[2] Banner Student - http://www.ellucian.com/Software/Banner-Student/
[3] OWASP A10 - 
https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards
[4] CWE-601 - https://cwe.mitre.org/data/definitions/601.html

-

Product: Banner Student
Vendor: Ellucian Company L.P.
Vulnerable Version: 8.5.1.2
Tested Version: 8.5.1.2
Vendor Notification: June 18, 2015
Public Disclosure: December 2, 2015
Vulnerability Type: Improper Neutralization of Input During Web Page Generation 
('Cross-site Scripting') [CWE-79]
CVE Reference: CVE-2015-4687
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSSv3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Mitigation: None, Upgrade to 8.7.1.2
Discovered and Provided: Ellucian Company L.P.

Advisory Details:

Reflected Cross-Site Scripting (XSS) in Ellucian Banner Student: CVE-2015-4687

Unsanitized data input from application parameters allows an attacker to 
execute arbitrary JavaScript code using a malicious URL.

References:

[1] Ellucian Company L.P. - http://www.ellucian.com/
[2] Banner Student - http://www.ellucian.com/Software/Banner-Student/
[3] OWASP A3 - 
https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
[4] CWE-79 - https://cwe.mitre.org/data/definitions/79.html

-

Product: Banner Student
Vendor: Ellucian Company L.P.
Vulnerable Version: 8.5.1.2 - 8.7
Tested Version: 8.7
Vendor Notification: June 18, 2015
Public Disclosure: December 2, 2015
Vulnerability Type: Information Exposure Through Discrepancy [CWE-203]
CVE Reference: CVE-2015-4688
Risk Level: Medium
CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Mitigation: None, Upgrade to 8.7.1.2
Discovered and Provided: Ellucian Company L.P.

Advisory Details:

User Enumeration in Ellucian Banner Student: CVE-2015-4688

Differences between server responses can be used to brute-force user accounts 
in the system.

References:

[1] Ellucian Company L.P. - http://www.ellucian.com/
[2] Banner Student - http://www.ellucian.com/Software/Banner-Student/
[3] OWASP A2 - 
https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management
[4] CWE-203 - https://cwe.mitre.org/data/definitions/203.html

-

Product: Banner Student
Vendor: Ellucian Company L.P.
Vulnerable Version: 8.5.1.2 - 8.7
Tested Version: 8.7
Vendor Notification: June 18, 2015
Public Disclosure: December 2, 2015
Vulnerability Type: Weak Password Recovery Mechanism for Forgotten Password 
[CWE-640]
CVE Reference: CVE-2015-4689
Risk Level: Medium - High
CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSSv3 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
Mitigation: None, Upgrade to 8.7.1.2
Discovered and Provided: Ellucian Company L.P.

Advisory Details:

Weak Password Reset in Ellucian Banner Student: CVE-2015-4689

An attacker is able to change login credentials of users through a weak 
password reset mechanism.

References:

[1] Ellucian Company L.P. - http://www.ellucian.com/
[2] Banner Student - http://www.ellucian.com/Software/Banner-Student/
[3] OWASP A2 - 
https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management
[4] CWE-640 - https://cwe.mitre.org/data/definitions/640.html

-

RiskSense, Inc. Security Analysts: Dylan Davis, Sean Dillon, Zachary Harding 

[CVE-2015-3253] Apache Groovy Zero-Day Vulnerability Disclosure

[Cédric Champeau]

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

All unsupported versions ranging from 1.7.0 to 2.4.3.

Impact

Remote execution of untrusted code, DoS

Description

When an application has Groovy on classpath and that it uses standard
Java serialization mechanims to communicate between servers, or to
store local data, it is possible for an attacker to bake a special
serialized object that will execute code directly when deserialized.
All applications which rely on serialization and do not isolate the
code which deserializes objects are subject to this vulnerability.

Mitigation

Apache Groovy 2.4.4 is the first and only supported release under the
Apache Software Foundation. It is strongly recommanded that all users
upgrade to this version. If you cannot upgrade or rely on an older,
unsupported version of Groovy, you can apply the following patch on
the MethodClosure class
(src/main/org/codehaus/groovy/runtime/MethodClosure.java):

 public class MethodClosure extends Closure {
+private Object readResolve() {
+throw new UnsupportedOperationException();
+}

Credit

This vulnerability was discovered by:

   cpnrodzc7 working with HP's Zero Day Initiative

References

http://groovy-lang.org/security.html

Avolve Software ProjectDox Multiple Vulnerability Disclosure

[Romano, Christian]

-

Product: ProjectDox
Vendor: Avolve Software
Vulnerable Version: 8.1
Tested Version: 8.1
Vendor Notification: May 30, 2014
Public Disclosure: September 3, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5129
Risk Level: Medium
CVSSv2 Base Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Cross-Site Scripting in ProjectDox: CVE-2014-5129

Reflected and Persistent Cross-Site Scripting were found in the
ProjectDox application. Unsanitized data input from application query
parameters and other vectors exist to execute arbitrary JavaScript
code in the context of the victim browser.

References:

[1] Avolve Software - http://www.avolvesoftware.com/
[2] ProjectDox -
http://www.avolvesoftware.com/projectdox/electronic-plan-review/
[3] Cross-Site Scripting -
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

-

Product: ProjectDox
Vendor: Avolve Software
Vulnerable Version: 8.1
Tested Version: 8.1
Vendor Notification: May 30, 2014
Public Disclosure: September 3, 2014
Vulnerability Type: Insecure Direct Object Reference [CWE-639]
CVE Reference: CVE-2014-5130
Risk Level: Medium
CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Insecure Direct Object Reference in ProjectDox: CVE-2014-5130

The application allows users to access other users' information using
a direct access token. If a user can guess or visually inspect the
token, a user can directly access this data without authorization.

References:

[1] Avolve Software - http://www.avolvesoftware.com/
[2] ProjectDox -
http://www.avolvesoftware.com/projectdox/electronic-plan-review/
[3] Insecure Direct Object Reference -
https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)

-

Product: ProjectDox
Vendor: Avolve Software
Vulnerable Version: 8.1
Tested Version: 8.1
Vendor Notification: May 30, 2014
Public Disclosure: September 3, 2014
Vulnerability Type: Ciphertext Reuse [CWE-329]
CVE Reference: CVE-2014-5131
Risk Level: Medium
CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Ciphertext Reuse in ProjectDox: CVE-2014-5131

The application encrypts data identifiers without IV or identical IV
in multiple locations. By substituting ciphertext in one location of
the application into another location, an attacker is able to gain
access to other users' information.

References:

[1] Avolve Software - http://www.avolvesoftware.com/
[2] ProjectDox -
http://www.avolvesoftware.com/projectdox/electronic-plan-review/
[3] Missing IV with Cipher Block Chaining -
https://www.owasp.org/index.php/Not_using_a_random_initialization_vector_with_cipher_block_chaining_mode
[4] Inadequate Encryption Strength -
http://cwe.mitre.org/data/definitions/326.html

-

Product: ProjectDox
Vendor: Avolve Software
Vulnerable Version: 8.1
Tested Version: 8.1
Vendor Notification: May 30, 2014
Public Disclosure: September 3, 2014
Vulnerability Type: User Enumeration [CWE-203]
CVE Reference: CVE-2014-5132
Risk Level: Medium
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

User Enumeration in ProjectDox: CVE-2014-5132

The application allows an attacker to probe for valid users via email addresses.

References:

[1] Avolve Software - http://www.avolvesoftware.com/
[2] ProjectDox -
http://www.avolvesoftware.com/projectdox/electronic-plan-review/
[3] User Enumeration -
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)

-

Sierra Library Services Platform Multiple Vulnerability Disclosure

[Romano, Christian]

Product: Sierra Library Services Platform
Vendor: Innovative Interfaces Inc
Vulnerable Version: 1.2_3
Tested Version: 1.2_3
Vendor Notification: June 19, 2014
Public Disclosure: August 26, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5136
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Reflected Cross-Site Scripting in Library Services Platform: CVE-2014-5136

Unsanitized data input from application query parameters allows an
attacker to execute arbitrary JavaScript code in the context of a
victim browser using a malicious URL link. The application at the time
of test had the Webpac Pro submodule enabled.

References:

[1] Innovative Interfaces Inc - http://www.iii.com/
[2] Sierra Library Services Platform - http://www.iii.com/products/sierra
[3] Cross-Site Scripting -
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)


Product: Sierra Library Services Platform
Vendor: Innovative Interfaces Inc
Vulnerable Version: 1.2_3
Tested Version: 1.2_3
Vendor Notification: June 19, 2014
Public Disclosure: August 26, 2014
Vulnerability Type: User Enumeration [CWE-204]
CVE Reference: CVE-2014-5137
Risk Level: Medium
CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

User Enumeration in Library Services Platform: CVE-2014-5137

A response discrepancy in the application login allows an attacker to
determine valid user accounts tested. The application at the time of
test had the Webpac Pro submodule enabled.

References:

[1] Innovative Interfaces Inc - http://www.iii.com/
[2] Sierra Library Services Platform - http://www.iii.com/products/sierra
[3] User Enumeration -
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)


Product: Sierra Library Services Platform
Vendor: Innovative Interfaces Inc
Vulnerable Version: 1.2_3
Tested Version: 1.2_3
Vendor Notification: June 19, 2014
Public Disclosure: August 26, 2014
Vulnerability Type: HTTP Parameter Pollution [CWE-235]
CVE Reference: CVE-2014-5138
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

HTTP Parameter Pollution in Library Services Platform: CVE-2014-5138

The application allows multiple instances of the same query parameter.
The last instance of the parameter provided is used by the
application. As the application logic or any web application firewall
may interpret the parameters differently, an attacker may be able to
bypass the normal verification of parameter safety. The weakness was
not found to pose an immediate threat to application users in the
tested configuration. The Webpac Pro submodule was enabled at the time
of the test.

References:

[1] Innovative Interfaces Inc - http://www.iii.com/
[2] Sierra Library Services Platform - http://www.iii.com/products/sierra
[3] HTTP Parameter Pollution -
https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-INPVAL-004)

Encore Discovery Solution Multiple Vulnerability Disclosure

[Romano, Christian]

Product: Encore Discovery Solution
Vendor: Innovative Interfaces Inc
Vulnerable Version: 4.3
Tested Version: 4.3
Vendor Notification: June 19, 2014
Public Disclosure: August 26, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-5127
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Open Redirect in Encore Discovery Solution: CVE-2014-5127

Using a maliciously crafted URL, an attacker is able to redirect users
to an attacker-controlled parameter.

References:

[1] Innovative Interfaces Inc - http://www.iii.com/
[2] Encore Discovery Solution - http://www.iii.com/products/encore
[3] Open Redirect - https://www.owasp.org/index.php/Open_redirect

Product: Encore Discovery Solution
Vendor: Innovative Interfaces Inc
Vulnerable Version: 4.3
Tested Version: 4.3
Vendor Notification: June 19, 2014
Public Disclosure: August 26, 2014
Vulnerability Type: Session Token in URL [CWE-598]
CVE Reference: CVE-2014-5128
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Session Token in URL in Encore Discovery Solution: CVE-2014-5128

The application passes the session token within the application GET
query parameters. This behavior is considered dangerous due to the
potential for information leakage.

References:

[1] Innovative Interfaces Inc - http://www.iii.com/
[2] Encore Discovery Solution - http://www.iii.com/products/encore
[3] Session Token in URL -
http://www.acunetix.com/vulnerabilities/session-token-in-url/

ArcGIS for Server Vulnerability Disclosure

[Romano, Christian]

Product: ArcGIS for Server
Vendor: ESRI
Vulnerable Version: 10.1.1
Tested Version: 10.1.1
Vendor Notification: June 19, 2014
Public Disclosure: August 15, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5121
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Reflected Cross-Site Scripting (XSS) in ArcGIS for Server: CVE-2014-5121

Multiple vectors of unsanitized data input from application query
parameters allows an attacker to execute arbitrary JavaScript code
using a malicious URL link.

Product: ArcGIS for Server
Vendor: ESRI
Vulnerable Version: 10.1.1
Tested Version: 10.1.1
Vendor Notification: June 19, 2014
Public Disclosure: August 15, 2014
Vulnerability Type: Open Redirect [CWE-20]
CVE Reference: CVE-2014-5122
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Open Redirect in ArcGIS for Server: CVE-2014-5122

Using a crafted URL, upon login, the user's browser is redirected to
an attacker controlled parameter.

Vulnerability disclosure comments

[Shawna McAlearney]

Thank you to all who helped out by sharing your opinions on our
vulnerability articles!

STANFORD CONFERENCE ON VULNERABILITY DISCLOSURE: Early Reg to Close Soon! (fwd)

[Adam Shostack]

- Forwarded message from Jennifer S. Granick [EMAIL PROTECTED] -

X-Sender: [EMAIL PROTECTED]
Date: Wed, 17 Apr 2002 10:05:27 -0800
To: [EMAIL PROTECTED]
From: Jennifer S. Granick [EMAIL PROTECTED]
Subject: STANFORD CONFERENCE ON VULNERABILITY DISCLOSURE: Early Reg to
 Close Soon!

The early registration for Stanford's Center for Internet and Society
Conference on Computer Security Vulnerability Disclosure is about to close. 
Register today!

http://cyberlaw.stanford.edu

Current Agenda:

Agenda
Conference on Cyber Security and Disclosure
Thursday, May 9, 2002
7:30 a.m. Registration  Continental Breakfast
8:30 a.m. Welcome and Introductions
John Place, Stanford Center for Internet  Society
8:45 a.m. Information Sharing and the Freedom of Information Act
Matt Richtel, The New York Times (moderator)
Harris Miller, Information Technology Association of America
Alan Morrison, Stanford Law School and Public Citizen Litigation Group
Paul Nicholas, President's Critical Infrastructure Protection Board, The White
House
Mark Rasch, Predictive Services
David Sobel, Electronic Privacy Information Center

10:15 a.m. Break
10:30 a.m. The Ethics of Disclosure
Edward Felten, Princeton University and Stanford Law School
Steven Lipner, Microsoft
Helen Nissenbaum, New York University (invited) 

12:00 p.m. Keynote Luncheon
Bruce Schneier
Founder and Chief Technical Officer
Counterpane Internet Security, Inc.
Crocker Garden, Stanford Law School 

1:30 p.m. Disclosure and the Computer Security Professional
Edward Felten, Princeton University and Stanford Law School (moderator)
Gary McGraw, Cigital
Emily Sebert, @stake, Inc.

3:15 Break

3:30 p.m. Disclosure and the Computer Security Freelancer
Jennifer Stisa Granick, Stanford Law School (moderator)
Minh-Hang Nguyen, 7 Pillars
Rain Forest Puppy, Independent
Lee Tien, Electronic Frontier Foundation
Michael Wilson, 7 Pillars
5:00 p.m. Closing Remarks
5:10 p.m. Conference Ends
--


Jennifer Stisa Granick, Esq.
Director, Law and Technology Clinic
Stanford Law School
Center for Internet and Society
559 Nathan Abbott Way
Stanford, California 94305

(650) 724-0014
(650) 723-4426 fax

[EMAIL PROTECTED]

- End forwarded message -