On Sat, 20 Mar 2010, William Pitcock wrote:
If you're a 15 year old kid and you just discovered a way to own the
latest IOS, for example, how do you know who to tell about it?
Read the manual? Most products and open source projects have a manual
which includes information about contacting the vendor or project.
If you don't have the manual, but know how to use a search engine, try a
search for "reporting security vulnerabilities". Most major IT vendors
and open source projects have a security reporting page. Some people have
suggested vendors and projects have a common URL such as ".../security"
with security information.
For example if you found a vulnerability in IOS, look up the following URL
to find out Cisco's reporting contacts:
http://www.cisco.com/security
Report a potential vulnerability in Cisco products:
ps...@cisco.com
Urgent technical assistance for non-security issues that involve Cisco
products:
Cisco Technical Support
800 553 2447 (U.S.)
Worldwide Contacts
Emergency response to active security incidents that involve Cisco
products:
PSIRT
877 228 7302 (U.S.)
+1 408 525 6532 (outside U.S.)
Report an incident involving the Cisco corporate network:
info...@cisco.com
If you still don't know who to contact, CERT/CC maintains a world-wide map
of national computer security incident response teams.
http://www.cert.org/cert/map_open.html
Although some of the "intra" forums between CSIRT, vendor, project,
provider, researcher communities aren't open to everyone, e.g. a CSIRT
forum may only have CSIRTs, an academic forum may only have academics;
each of the CSIRTs, vendors, projects, providers have contacts for
reporting vulnerabilities that may affect their constituencies.
