Apologies again for the HTML — too many inline links for text. I'd probably leave these guys alone were it not for stuff like this<http://www.enomaly.com/High-Assurance-E.484.0.html> :
"*With Enomaly’s patented security functionality, a service provider can deliver a unique, high security Cloud Computing service – commanding a higher price point than commodity public cloud providers.*" Enjoy. Sam How NOT to respond to vulnerability reports<http://samj.net/2011/11/how-not-to-respond-to-vulnerability.html> <http://memegenerator.net/instance/11298030> Reuven Cohen <http://www.elasticvapor.com/> and the guys at Enomaly<http://www.enomaly.com/>could write the book on how NOT to respond to vulnerability reports: 1. Don't disavow vulnerabilities<https://twitter.com/#%21/ruv/status/133221009342992384>in products you've previously taken<http://www.elasticvapor.com/2008/04/enomaly-launches-giftagcom-for-bestbuyg.html> credit<http://www.elasticvapor.com/2008/09/bestbuys-giftagcom-getting-some-press.html>for 2. Don't claim issues are not valid<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>while denying researchers a right of reply 3. Don't claim obvious issues are "unactionably vague<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>" and then ignore them, even after a working exploit is publicly available<http://samj.net/2011/10/sploitcloud.html> 4. Don't claim trivial remote root exploits are "theoretically valid but extremely difficult to exploit<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be> " 5. Don't claim it's ok to rely on<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>security by obscurity or race conditions 6. Don't turn on moderation<http://groups.google.com/group/spotcloudbuyers/about>because a researcher posts a vulnerability report<http://groups.google.com/group/spotcloudbuyers/msg/a1e010147241298e>to your lists 7. Don't subsequently ban a researcher from your lists<http://1.bp.blogspot.com/-Kbx1w50mK_g/Trp0D54k9LI/AAAAAAAAAYs/ZZ0tIMoPLZE/s1600/spotcloud-banned.png>because they tried to notify your users when you failed to 8. Don't claim that security vulnerabilities are ok<http://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>because there have been " *no reports of any security compromise*" 9. Don't claim<http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html>" *other mitigating factors that have been present in the environment from the beginning*" when the vulnerability has already been demonstrated 10. Don't ask for private notification of vulnerabilities<http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html>only to then ignore/dispute them 11. Don't publicly call researchers unethical<http://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>for opting for full disclosure <http://en.wikipedia.org/wiki/Full_disclosure>, especially when they do so because you have been reticent and unresponsive in the past 12. Don't release ineffective fixes<http://seclists.org/bugtraq/2009/Feb/142>, especially when the researcher has told you exactly how to fix it 13. Don't dispute the vulnerability<http://samj.net/2010/02/private-cloud-security-is-no-security.html>when a clearinghouse like Secunia <http://secunia.com/> contacts you to verify it 14. Don't criticise researchers<http://twitter.com/ruv/status/8623995916>for reviewing your product 15. Don't shoot the messenger<http://www.elasticvapor.com/2008/11/v-for-vendetta.html> 16. Don't downplay critical vulnerabilities<http://www.elasticvapor.com/2008/11/v-for-vendetta.html> as "*relatively minor*", "random" paths as "*pretty hard to guess*", etc. 17. Don't send in board members<http://samj.net/2010/02/private-cloud-security-is-no-security.html?showComment=1265232836593#c6024067410560428601>to fight your battles 18. Don't claim new products<http://samj.net/2010/02/private-cloud-security-is-no-security.html?showComment=1265232836593#c6024067410560428601> having "*significant new and enhanced functionality*" is a valid excuse 19. Don't make security claims<http://www.enomaly.com/High-Assurance-E.484.0.html>like "High Assurance" if you're not going to take security seriously 20. Don't claim <https://spotcloud.appspot.com/terms> that "*Enomaly shall be entitled to (i) suspend or de-activate your account without notice, and (ii) retain any remaining funds in your account*", and definitely don't actually do it<http://3.bp.blogspot.com/-DMDtb1nYaew/Trp15BD8MiI/AAAAAAAAAY0/yCmWSKKOsZo/s1600/spotcloud-suspended.png> . After my recent SploitCloud: exploiting cloud brokers for fun and profit<http://samj.net/2011/10/sploitcloud.html>article and the follow-up Retro vulnerability of the day: cleartext passwords over the wire<http://samj.net/2011/11/retro-vulnerability-of-day-cleartext.html>you'd have thought the publicly demonstrated vulnerabilities would have been quietly fixed and we'd have moved on. But no — they've decided instead to suspend my Spotcloud <http://www.spotcloud.com/> account so as I can't find any more holes, *keeping funds they were holding in trust for payment to third-party providers as "compensation"* — something I'm more inclined to refer to as "theft": <http://3.bp.blogspot.com/-DMDtb1nYaew/Trp15BD8MiI/AAAAAAAAAY0/yCmWSKKOsZo/s1600/spotcloud-suspended.png> Enomaly have also not only failed to notify Spotcloud buyers<http://groups.google.com/group/spotcloudbuyers>and sellers <http://groups.google.com/group/spotcloudsellers> that they are vulnerable themselves, but moderated (e.g. deleted) my notification to them and banned me from the lists in the process: <http://1.bp.blogspot.com/-Kbx1w50mK_g/Trp0D54k9LI/AAAAAAAAAYs/ZZ0tIMoPLZE/s1600/spotcloud-banned.png> If I were one of the (apparently few) users of the Spotcloud service then I'd be extremely dissatisfied, to say the least, that this information was being actively concealed from me. At the end of the day you owe it to yourselves and your users to only ever work with providers who take security seriously.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/