9. *Report Timeline*
. 2010-11-24:
Core Security Technologies contacts IBM, requesting the proper point of
contact to report a security vulnerability in IBM WebSphere Application
Server.
. 2010-11-29:
Vendor responds providing the point of contact to report the
vulnerability, and its PGP key to encrypt communications.
Additional Information
- ----------------------
Timeline:
2008-12-03: Issue discovery
2008-12-05: Initial Vendor Notification: Point of Contact requested via
contact form on website (No suitable e-mail available)
2008-12-14: Vendor Response: Customer support answered without providing
any suitable contact for vulnerability communication
2008-12-19: Public Disclosure
Additional Information
----------------------
Timeline:
2009-04-04: Issue discovery
2009-04-06: Initial Vendor Notification: Point of Contact requested via
contact form on website (No suitable e-mail available)
2009-04-07: Vendor Response: Automated response
2009-04-23: Public Disclosure
Vendor Statement:
Additional Information
----------------------
Timeline (dd/mm/yy):
09/11/2009: Requested Point of Contact to Linksys
10/11/2009: Received Point of Contact
10/11/2009: Vulnerability details sent
12/11/2009: Received clarification request on firmware version
12/11/2009: Additional details sent
16/01/2010: Requested update on vulnerability status.
Additional Information
----------------------
Timeline:
09/11/2009: Requested Point of Contact to Linksys
10/11/2009: Received Point of Contact
10/11/2009: Vulnerability details sent
11/12/2009: Received clarification request on firmware version
11/12/2009: Additional details sent
16/01/2010: Requested update on vulnerability status.
reseed(8) performs a unsecured HTTP request to random.org for its
bits, despite random.org offering HTTPS services.
The Ubuntu Security Team took no interest when contacted by email (no
reply); the point of contact listed in the man pages took no interest
when contacted by email (no reply); and a launcher bug report was not
acted upon (https://bugs.launchpad.net/ubuntu/+source/reseed/+bug/804594).
----------------------
Timeline (dd/mm/yy):
17/02/2010: Vulnerability discovered
17/02/2010: No suitable technical/security contact on Global/Regional
website. No contact available on OSVDB website
18/02/2010: Point of contact requested to customer service
----------- No response -----------
26/05/2010: Vulnerability disclosed at CONFidence 2010
14/07/2010: This advisory
https doesn't help if your host entropy pool is poorly seeded.
[SSL/TLS needs entropy for authenticity/privacy.]
> The Ubuntu Security Team took no interest when contacted by email (no
> reply); the point of contact listed in the man pages took no interest
> when contacted by email (no reply); and a launcher bug report was not
> acted upon (https://bugs.launchpad.net/ubuntu/+source/reseed/+bug/804594).
you're surprised?
[you must be new around here!]
----------------------
Timeline (dd/mm/yy):
17/02/2010: Vulnerability discovered
17/02/2010: No suitable technical/security contact on Global/Regional
website. No contact available on OSVDB website
18/02/2010: Point of contact requested to customer service
----------- No response -----------
26/05/2010: Vulnerability disclosed at CONFidence 2010
29/06/2010: This advisory
9. *Report Timeline*
. 2009-10-23:
Core Security Technologies sends an email to IBM AIX Security team
requesting a security point of contact to report security bugs in
SolidDB and asks whether the report should be sent to SolidDB security
instead.
. 2009-10-27:
IBM AIX Security replies indicating that they forwarded the request to
----------------------
Timeline (dd/mm/yy):
17/02/2010: Vulnerability discovered
17/02/2010: No suitable technical/security contact on Global/Regional
website. No contact available on OSVDB website
18/02/2010: Point of contact requested to customer service
----------- No response -----------
26/05/2010: Partial disclosure at CONFidence 2010
28/06/2010: This advisory
August 01, 2009: Initial security alert sent to office@vncert.vn, vncert@mpt.gov.vn, vncert@mic.gov.vn
:Co-ordinator response:
August 01, 2009: Operation team replied that it would be the point of contact for VNCERT.
:Further communication:
August 02, 2009: VNCERT requested proof of vulnerability.
