All vulnerability 'management' should use the same system that every other earthing uses: http://cve.mitre.org/
On Fri, Sep 10, 2010 at 7:18 AM, Tauren <[email protected]> wrote: > I'm gonna go ahead and assume that with 9/900 some messages on this > board, and how slow things are this is probably not the place that > those bulletins get posted. Secondly look at patch notes for the > android mobile phone, I am sure they mention it. Also keep in mind > that there is a good probability that posts get archived that aren't > current, including old fixed bulletins. > > That said... please check here: > http://groups.google.com/group/android-security-announce > > As for your definition, how can we answer your question without your > definition? > > On Sep 10, 9:53 am, Jan Niggemann <[email protected]> wrote: >> 2010/9/10 Tauren <[email protected]> >> >> > First off, there have been a number of "android" vulnerabilities, go >> > look at haxxor news and see what you turn up. >> >> I'm aware of the attack vectors and possibilities, thank you. >> >> > More so those bulletins probably were taken down when the >> > vulnerability was removed in the followup emergency push. >> >> That's absurd. If so, why isn't there an archive for those security >> bulletins? >> And where are the postings to the full-disclosure mailing list? Let me >> remind you that in 2008, the Android security team posted to that list, that >> they'll publish security bulletins "when the fixes are available". >> And I'm pretty certain that there have been no security bulletins so far. >> Neither in the Google group, nor on said mailing list. >> >> > Lastly what is your definition of noteworthy? >> >> I'm pretty sure that no one cares about _my_ definition.Google writes: >> >> "We will publicly announce security bugs when the fixes are avandroid >> security bulletinailable >> via postings to the android-security-announce group on Google Groups." (link >> in my 1st post). >> So it all boils down to this:android security bulletin >> >> IF security_bug found AND fixed >> THEN publish bulletin. >> >> > Is note worthy DOSing >> > your phone via SMS? that has been done >> > I'm sure there are also other areas of the phone that need to be >> > researched and looked at. Having some toolrod open a PDF and pwn >> > their phone just like they did on the iphone is an example. >> >> The question is: Would that be a design flaw in the OS implementation or in >> an app? >> If it's the OS, following their own guidelines, Google should publish a >> security bulletin. Either after the availability of a fix, or after 60 days. >> >> > The point is, you have a phone, its actually a computer, it will have >> > vulnerabilities, they are doing their best to remove them. The most >> > you may hear of it is a little blurb with someones name on it for >> > finding the bug. >> >> So please show me the blurbs - where are they to be found? >> You say there _are_ security issues. If that assertion is true, then there >> should inevitably be a publication of that issue, if Google respects their >> own guidelines. >> At least if the issue is fixed, if I understand correctly. >> Or it's just a matter of misintepretation, maybe because my 1st language >> isn't English ;-) >> I just can't get straight that there _are_ security issues* AND there's no >> publication of bulletins yet. >> >> Regards >> jan >> * No big deal for me, every piece of software has 'em. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
