Hi gaz, I think we should adopt the "normal" full-disclosure approach here?
As far as I know, there's a few different places who accept reported vulnerabilities and "push them out" to registered vendors, who get a time to poke at the problem, fix it, and then in due course, the (now fixed) vulnerability gets published and the reporter gets the "fame" for having found and helped improve everything. Does anyone know more about the mechanics of this process? While I'm a subscriber to several of these reporting things for various system I run, I've not actually *posted* a vulnerability before, let alone worked out how to register a new product/service like OpenID. CERT is the best known place that I know of. Kind Regards, Chris Drake Tuesday, April 17, 2007, 7:26:20 PM, you wrote: ghc> -----BEGIN PGP SIGNED MESSAGE----- ghc> Hash: SHA1 ghc> Hi all ghc> I have been thinking about 2 possible flaws with OpenID providers, ghc> I haven't had time to test any of them however because I've started ghc> work on another project. ghc> Now they might not even exist or they could possibly create huge ghc> flaws in every provider worse case. I would like someone to test my ghc> theories and see if the holes are possible to exploit. ghc> What do you think it the best policy here? Do you think it is safe ghc> for me to publically dicuss this? ghc> Cheers ghc> Gareth ghc> -----BEGIN PGP SIGNATURE----- ghc> Note: This signature can be verified at ghc> https://www.hushtools.com/verify ghc> Version: Hush 2.5 ghc> wpwEAQECAAYFAkYkkkMACgkQrR8fg3y/m1CtSgP/Rn/9x6Syj2+h4Cig9Q7xckz10H2m ghc> MwGyZ1CDMrFlQjR0tAeLA2PVspbm+FsxsJawd5xwDFye3r4dUo4FBHew+1DFpeENXkK9 ghc> R+hzov+nWtDsyWD/KkGMNnJKhtk7Olg2I8A3I7wJk0W60L0FYJcPrkUoInHrk3vFl25z ghc> SIY13Iw= ghc> =gJCA ghc> -----END PGP SIGNATURE----- ghc> -- ghc> Click for dental plans with huge savings, top service and coverage ghc> http://tagline.hushmail.com/fc/CAaCXv1KbKwI3IpjFWyPg3WhkB9IL5tz/ ghc> _______________________________________________ ghc> security mailing list ghc> [email protected] ghc> http://openid.net/mailman/listinfo/security _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
