Responsible Vulnerability Disclosure Policy
0 comments Tuesday, July 10, 2007

[The Policy I follow]

This policy outlines how I try to handle responsible disclosure of a vulnerability
to the product vendors, security vendors and the general public.


Step 1: Vulnerability detected

Step 2: Inform the vendor of the product or the servce formally through email to following mail accounts/aliases
security@VENDOR,
support@VENDOR,
info@VENDOR,
secure@VENDOR,
admin@VENDOR,
sysadmin@VENDOR

Step 3: Wait for vendor's acknowledgement for 5 working days

Step 4: If the vendor fails to acknowledge initial notification within 5 working days, I contact the vendor for second time using mail & other publicly available contact medium such as phone or fax

Step 5: If a vendor response is received within the timeframe we (vendor & me) wait for a reasonable period of time to develop a fix. I make every effort to work with vendors to ensure that they get the technical details and severity of the flaw detected.

Step 6: Once the patch is ready & released with responsible timeframe, in consent with the vendor I will formally and publicly release its security advisories on selected security mailing lists & other forums.

Consent of the vendor for discloser is important as few vendors do not like to get their vulnerability publicized as it may effect their reputation. Respecting their feelings I get the consent from the vendor & then publicize the flaw

tags: ,

ByRohit Srivastwa
at4:05 AM

0 comments
Yet another successful BarCamp
0 comments Saturday, July 07, 2007

Here we are organizing the third sequel of BarCamp in Pune
A deferred live report :)

0845: Reached Persistent Tower. As I entered the building the first thing I noticed was Kiran running around managing posters. This guy was the man behind the success of BarCampPune3.

0850: Started the day, managed a few posters & then moved to check registration desk @ 7th floor. Few volunteers were already there. Had the first look at the T-shirts which flew in from Bangalore in the morning only. Nice t-shirts, thanks thoughtworks

0900: People started pouring in, thank god it’s not raining at this moment. Registration started. People registering there laptops, putting stickers, admiring t-shirt, moving over to storyboard for planning there sessions

0945: Campers still coming, no session for 1000, planning to move 1045 session to 1030 & start the event.

1000: Almost everybody is done with the breakfast. Wandering around, planning for which sessions to attend.

1015: Welcome & brief intro by Hrishikesh. Good to see that crowd in Pune have started understanding barcamps & unconferences. They know what they are here for & what to expect.

1030: started the first session on 4th floor. Organizers still managing stuff on 4th floor & 7th floor. Kiran & Jatinder jotted down the whole storyboard & got printouts for every camper

1045: I got time to reach one of the sessions, sat for few minutes in TVguide.in by Rakesh Raju. Nice concept.

1050: Showed the first placard of "10 min left" to Rakesh, followed by "5 min left" & "time up". We learnt this from Tarun at BlogCamp. This really helps managing timing of sessions

1115: Same room, Aditya starting (although with few hiccups) on MS Silverlight. Good talk Aditya

1145: finished Aditya's session with "time up" & moved to 7th floor for some discussions

1245: People gathering @ 7th floor for lunch. PSPL canteen had arranged very nice food but pure veg :( There was a sign board sitting next to the sweet dish "One Helping Only". Funny, but don't worry, it’s a BarCamp & people know what they have to do.1330: One table full of BarCamp organizers. Atul, Anand, Jatinder, Anil, Harshal, Tarun, myself, Karthik, we are missing you Dibya! Nice time to decide future camps (I know we are yet to finish this one)

1400: Started a new thread in discussion room on 1st floor with Rohas Nagpal telling people about how to setup a tech company in US/UK/Singapore.

1402: The first announcement about ClubHack. Thank Atul for your loud voice to catch attention. We announced the next big event ClubHack & noticed that people were quite excited about the same.

1430: Waved "5 min" sign to Rohas & moved to 4th floor to announce ClubHack in other rooms

1445: All announcements done, now attending the session on LifeLogger by Anand. Andy you do such complex thing???

1515: I didn't wanted to show the time up thing to Anand as he was from my own team, but can't help it. Thanks to everyone no one got offended (hopefully) & managed the sessions properly.

1530: Same room attending session by Freeman on OpenSource Education. You are doing a great work Freeman.

1600: Snax time! I wonder why the tomato sauce was kept in such a big vessel, many people misunderstood it for soup :)

1630: Session on Firefox addons by Vinod. I tried learning this things many times :). Helpful session Vinod, but I’m not sure when I’d start writing my own addon

1715: All organizers gathered in lobby. Discussed how many track did they were able to attend. Hey look at this even I got chance to attend 5 and half sessions. I know it’s a big count when you are also in organizing team. Thanks to PSPL for such a nice arrangement.

1730: Another session about to start but not feeling like attending it. Started winding up stuffs

1800: Had to barge in last session and request Amit to end up his session on web2.0 powered by PHP. Sorry guys but need to finish of stuff in time.

1830: All organizers sitting in the beautiful lobby of PSPL relaxing after a successful day, 07/07/07 was really a good day for us.

1900: Packup & go!!! hope to see you all in next camp / ClubHack.

I know Atul & Anand will be moving to US soon, but I’m sure we'll get there assistance from remote. After all it’s a digital world.

tags: ,

ByRohit Srivastwa
at10:49 PM

0 comments
Subscribe to: Posts (Atom)