First contact
- Site: http://www.tufin.com
[Advisory Timeline]
- 12/02/2011 -> First Contact requesting security department contact;
- 12/02/2011 -> Vendor reply
- 12/05/2011 -> New Contatc
- 12/09/2011 -> Advisory sent to Vendor
- 12/09/2011 -> Coordinate to disclosure
- QuesCom Qportal User
[Vendor Product Description]
- No vendor product description
- Site: http://www.quescom.com/
[Advisory Timeline]
- 12/01/2011 -> First Contact requesting security department contact;-
12/01/2011 -> Vendor reply .- 12/01/2011 -> Adv. sent to vendor.-
12/05/2011 -> Vendor reply .- 12/05/2011 -> Video sent to vendor .-
12/06/2011 -> Vendor reply .- 12/07/2011 -> Published
[Bug Summary]
- Site: http://www.elxis.org/
[Advisory Timeline]
- 11/22/2011 -> First Contact requesting security department contact;
- 11/22/2011 -> Vendor responded;
- 11/23/2011 -> Advisory sent to vendor;
- 11/23/2011 -> Vendor reply, fix the bug, release patch and
coordinate to publish.
- 12/05/2011 -> Published.
- Site: http://www.ebuddy.com
[Advisory Timeline]
- 05/06/2011 -> The bug was found;
- 06/06/2011 -> First Contact requesting security department contact;
- 06/06/2011 -> Vendor responded;
- 09/06/2011 -> Advisory sent to vendor;
- 15/06/2011 -> A demo movie sent to vendor showing how to exploit the
flaw;
- 17/06/2011 -> Vendor developing a new version;
No vendor response.
V. Timeline
March 10th, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
June 30th, 2008 - Advisory release
VI. Credits
This vulnerability was discovered by Scanit's researchers Filipe
root user may change the graphics configuration."
V. Timeline
February 20th, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
March 27th, 2008 - Vendor response
June 30th, 2008 - Advisory release
VI. Credits
No vendor response.
V. Timeline
March 1st, 2008 - Vulnerability discovery
March 24th, 2008 - First contact attempt
June 30th, 2008 - Advisory release
VI. Credits
This vulnerability was discovered by Scanit's researchers Filipe
The vendor fixed this vulnerability in the new version. Please see the
references.
Advisory Timeline
--------------------
12/03/2012 - First contact: Sent the vulnerability details
20/03/2012 - Vulnerability Fixed in latest version
25/04/2012 - Vulnerability Released
Credits
--------------------
references.
Advisory Timeline
--------------------
05/12/2011 - First contact: Sent the vulnerability details
19/12/2011 - Second contact: Ask for patch
18/01/2012 - Vulnerability Fixed in latest version
24/01/2012 - Vulnerability Released
Credits
http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/3.1.1/
[+] Timeline
Ago 2010: First contact to vendor
Ago 2010: Confirmation of vendor
Sept 2010: Second contact: SQL Injection vulnerabilities
Sept 2010: Confirmation that the fix will be released on October
Oct 2010: PandoraFMS security patch for 3.1 version released
Oct 2010: Request for CVE numbers
Daniel Fernandez Bleda (dfernandez (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
January 30, 2007: Initial release
April 18, 2007: First contact with the vendor. Minor corrections.
November 09, 2007: Some corrections applied.
XI. DISCLOSURE TIMELINE
-------------------------
January 30, 2007: Vulnerability acquired by
0x03 : Vendor communication
---------------------------
[*] January 14th, 2010 - First contact
[*] January 15th, 2010 - Vendor acknowledges the problems
[*] January 20th, 2010 - Update request
[*] February 1st, 2010 - Vendor update
[*] February 4th, 2010 - Version 2.2.00 released
History
=======
2007-05-07 First contact with head of technical staff of Alcatel-Lucent.
Will relay the information to their technicians and call back
with further information.
2007-05-09 Response with a pointer to the Alcatel-Lucent PSIRT and the
website http://www1.alcatel-lucent.com/psirt, where the
process of reporting a security vulnerability is explained.
Impact
A malicious user could manipulate SQL queries by injecting arbitrary
SQL code and return private information.
Time-line
June 2, 2009 – First contact by contact form
June 17, 2009 – Second contact by email
June 17, 2009 – Reply from vendor
June 18, 2009 – Vendor reported that only standalone version and
Joomla 1.0.x component are vulnerable
June 24, 2009 – Vendor asked for more time to patch and warn their
September 21, 2010: Last revision.
XI. DISCLOSURE TIMELINE
-------------------------
August 21, 2010: Discovered by Internet Security Auditors
August 31, 2010: Tuenti first contact. No response.
September 2, 2010: Second contact trough other social network.
Response from Sec. Team.
September 3, 2010: Advisory sent to Sec. Team.
September 8, 2010: Tuenti confirm the issue was identified due our
tests and corrected immediately.
> The user tells the browser I want www.example.com *.example.com and
> *.foo.bar to be trusted under this certifacate. The browser obays as it
> should.
Agreed again: if all subjectAltNames would be shown to the user on first
contact like the CN it would be a user issue. Instead, browsers bury
them in details, Konqueror does not even show them *anywhere*. So an
avarage user has not enough information to make a proper decision.
However, vendors seem to head towards strong hostname binding. MSIE,
Opera and Safari 3 already do so. Mozilla-1.9/Firefox-3 will have the
|
