On the full-disclosure list, low halo asked: >Could someone please give me the security contact address for Oracle >Corporation? It seems as though their marketing department's >"Unbreakable" slogan makes them think that its OK to bury their >security advisories & contact info deep within their site somewhere. It's not immediately obvious when navigating from the www.oracle.com home page, but it's listed at: http://otn.oracle.com/deploy/security/alerts.htm secalert_us@oracle.com I found this by doing a site search on "vulnerability," which led me to the advisory page. Very few vendor home pages (open/closed source, freeware or not) seem to make it easy to find a security contact, or advisory page, from the home page. Here's a quick look I just did from the home pages of various software providers. Your Mileage May Vary. from www.microsoft.com: click on "Security" in the resources menu, click on "more bulletins and patches," go to "contact Microsoft security" from www.redhat.com: there's no "security" link on the front page. The "community resources" menu does not mention a security link. The "support & docs" link asks for user registration, but there's an "errata" menu on the left hand side. This gets us to a "security alerts" page but I don't see any security POC's there. There's a "Bugzilla" link on the left hand menu, but this leads to the bugzilla.redhat.com web site, which requires registration. The online security advisories don't seem to list a security contact. The advisories, when posted to Bugtraq, come from bugzilla@redhat.com and not some security-specific email address. But the advisory does list a PGP key at http://www.redhat.com/about/contact/pgpkey.html, which suggests that a security@redhat.com address is available. On this PGP key page, there's a "Red Hat Security Resource Center" menu along with a "Security Contacts and Procedures" option. Then I see that this was under the "Enterprise Solutions" web page, which could have been found from the www.redhat.com home page had I clicked on the "Enterprise Solutions" link instead of the "Support & Docs" link. from www.suse.de: click "security announcements" and the security contact is near the top of the page from www.debian.com: click "security information" which links to the "Debian security FAQ" which has a "How can I reach the security team?" question which points to security@debian.org from www.sun.com: I have two main nagivation options, "solutions" or "support & training." I'll try "solutions" since that would have worked for Red Hat. There's a "security" option under "Consulting Services" but that's for, well, their consulting services. But there's a "Related Links" whose first item is "Security" which gets us to the main security page, and its first link is for the security bulletins, which lists security-alert@sun.com. from www.novell.com: I gasp and reluctantly allow the ActiveX control to run, although IE isn't telling me which control I'm allowing. I try a text search for "secur" [security, secure] which seems to find something, but it's not highlighted in my browser so I can't tell. Emboldened by previous "Solutions" successes, I go there first, but this time no luck. The "support" menu doesn't include a security sub-item but I click it anyway and find the Novell security alerts page, which includes a form I can use to submit bugs. from www.mandrake.com: I get redirected to www.linux-mandrake.com and go to the Security Updates link, which has the security@linux-mandrake.com address. from www.openbsd.org: I click on the "Security" link and the "Reporting problems" section points to deraadt@openbsd.org from www.cisco.com: a "secur" search has similar issues that I had with www.novell.com (i.e. it's somewhere in the page but I can't find it), though it does show up in a "Networking Solutions & Provisioned Services" item. I click on that and get a big Javascript menu with a security option (maybe that was one of the search matches?), so I go there, but the page is for various security solutions and not a security contact. I use a drop-down menu to go to tech support, search for "secur" and get the SNMP advisory. I notice a "Contact PSIRT" reference but for the sake of experimentation I'll pretend I don't know what PSIRT means, I'm looking for "security" people. So I go to the SNMP security advisory, which has a "Cisco Security Procedures" section, which then gets me to the PSIRT page and the security-alert@cisco.com / psirt@cisco.com addresses. from www.freebsd.org: click on "Security" and the first section brings us to security-officer@FreeBSD.org. from www.hp.com: no matches on "secur". I try "support and drivers" and then "HP technical support." There's a "security" option under software, which brings me to a page that tells me how I can "receive security bulletins by email," which isn't quite what I'm looking for but close enough. This tells me I have to go to the "HP IT Resource Center" web site, register, then log in... but I'm not really in the mood to register right now, I've already got enough web accounts to manage. I just happen to notice a small "security" link on the top of the page that hasn't been visited before, so I go there (http://www.hp.com/security/index.html). There are some drop-down menus including particular product categories, so I'll just pick "hp-ux" software. This lists various security products but no security contacts or promising links. I try "all hp internet security products and technologies" but that gets me back to a page I've already seen. I try the "contact hp" link, which gets me to http://thenew.hp.com/country/us/eng/contact_us.html. The main page doesn't immediately grab me, but the left hand menu says "report a software security issue" and I click on it. This points me to security-alert@hp.com. from www.mozilla.org: see http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0095.html In short, the ease with which security contacts can be found varies from site to site, and individual to individual. There are many different "reasonable" paths that somebody might take in finding a security contact. Software providers who wish to simplify vulnerability notification can address some of this with prominent links from all of these pages: - security pages (both the "solutions" and advisory pages) - the advisories themselves - tech support - the "contact us" page. - Steve
