[27796] in bugtraq
Finding Vendor Security Contacts
daemon@ATHENA.MIT.EDU (Ed Ravin)
Sat Nov 9 12:30:41 2002
Message-Id: <200211090339.gA93dOC22024@panix3.panix.com>
To: mark@ngssoftware.com (Mark Litchfield)
Date: Fri, 8 Nov 2002 22:39:24 -0500 (EST)
From: "Ed Ravin" <eravin@panix.com>
In-Reply-To: <005601c28701$2e57fab0$0100a8c0@liberty> from "Mark Litchfield" at Nov 08, 2002 12:31:05 AM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Mark Litchfield writes:
>
> Does any one have or know of a security contact within www.real.com, as I
> have a serious issue to report. Tried the website, only have technical
> support and the web forms don't allow for much content.
At one of the BOF forums at LISA 2002, a representative from CERT,
after describing their extensive network of vendor contacts, said
that anyone who has trouble finding a security contact in a company
is welcome to contact CERT. Though CERT will not give you anyone's
email address, they will ask the vendor's security person to contact
you directly if you request. [Note: I have no experience with CERT,
I'm just reporting what their rep said at the BOF]
Another tip is to find the press office / public affairs office on
the vendor's web site - the PR folks usually understand the potential
image problems of security vulnerabilities.
