On 6/20/17, mfisch--- via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: >> On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via >> dev-security-policy wrote: >> > If you should find such an issue again in a Cisco owned domain, please >> > report it to ps...@cisco.com and we will ensure that prompt and proper >> > actions are taken. >> >> I don't know, this way seems to have worked Just Fine. >> >> - Matt > > Does no-one else see the lack of responsible disclosure in this thread > distressing?
Nope. The first requirement for "responsible disclosure" is knowing you're disclosing something. Take a look at the original msg: -- I wasn't entirely sure whether this is considered a key compromise. I asked -- Hanno Böck on Twitter (https://twitter.com/koenrh/status/873869275529957376 -- <https://twitter.com/koenrh/status/873869275529957376>), and he advised me to -- post the matter to this mailing list. <.. snip ..> -- If this is indeed considered a key compromise, where do I go from here, and what -- are the recommended steps to take? If you want to argue that I should have replied with something about sending the info to ps...@cisco.com instead of just forwarding the 1st two messages in the thread to them.. yeah, maybe I should have done it that way. > Instead -- this was posted to a public forum giving many thousands of people > the opportunity to chain a vector attack against Cisco CCO IDs (which in > some cases might lead to customer network compromise). I'm curious - how does one use a cert for drmlocal.cisco.com to chain a vector attack against Cisco CCO IDs? Regards, Lee _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy