On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: > On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via > dev-security-policy wrote: > > If you should find such an issue again in a Cisco owned domain, please > > report it to ps...@cisco.com and we will ensure that prompt and proper > > actions are taken. > > I don't know, this way seems to have worked Just Fine. > > - Matt
Does no-one else see the lack of responsible disclosure in this thread distressing? Yes, the cert was revoked, and for all you know during the race that was this public disclosure there could have been compromise. There are APT actors watching this thread right now looking for opportunities. This could have been reported to the vendor, or if you are not happy with Cisco's security response, to the CA first. 24 hours is not too long to keep this under hat. Instead -- this was posted to a public forum giving many thousands of people the opportunity to chain a vector attack against Cisco CCO IDs (which in some cases might lead to customer network compromise). If our community does not work to encourage more responsible disclosures the governments will do it for us, and it won't be nice. "Remember the Wassenaar" Matt Matthew Fisch, CISSP mfi...@fortmesa.com _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy