We don't just send the initial advisory... I guess I need to make the website slightly more informative!
After the initial contact we have (currently) a 6 month disclosure policy. We send an email every month, in the final month once a week and in the final week once a day. This email is automatically generated and includes information about how long is left, how many emails we have sent etc. Please note that the 6 months is being changed to 1 month without contact 3 month fix (case by case) in the near future. Thanks On 18 March 2012 21:24, Thor (Hammer of God) <[email protected]> wrote: > Why not just provide them with the contact and they can forward it on > directly? Then you could obviate the entire trust issue…**** > > ** ** > > t**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *upsploit > advisories > *Sent:* Sunday, March 18, 2012 1:56 PM > *To:* Michal Zalewski > *Cc:* [email protected] > > *Subject:* Re: [Full-disclosure] Fw: Earth to Facebook**** > > ** ** > > The only other people that see the vulnerability are the select few in > upSploit.**** > > ** ** > > However if the vendor is already in the upSploit database the advisory > gets submitted straight away to the vendor.**** > > ** ** > > If you want to try it out there should be an upSploit vendor in the vendor > list. Submit some advisories there.**** > > ** ** > > There is no ploy - like anything it is about trust. I created the service > because when I first started I found it hard to find contacts sometimes. > Use it if you want, don't if you don't. Simple as that really!**** > > ** ** > > Use it once for something you may not care about to much and see how it > works for you.**** > > ** ** > > Thanks,**** > > ** ** > > On 18 March 2012 20:22, Michal Zalewski <[email protected]> wrote:**** > > > Without meaning to advertise, that is one of the reasons upSploit was > > created - so that you could submit a vulnerability and then upSploit > > automatically sends to the vendor. This way you and your friend don't > have > > to do any of the work on the disclosure.**** > > I clicked around and don't see any obvious explanation; other than the > reporter and the vendor, who else gets to see the submissions and > under what circumstances? > > /mz**** > > ** ** >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
