On 1/6/07 4:14 PM, "Nicob" <nicob@xxxxxxxxx> spoketh to all: > Le vendredi 05 janvier 2007, Thor (Hammer of God) a écrit : > >> Something like security@xxxxxxx may seem obvious, but it's better if you >> list specific contact info so it can be easily found. > > I don't want to be rude but : > - security@xxxxxxxxxx is the only standardized security contact (as > defined by RFC 2142) > - googling security@xxxxxxx would bring some results > - this was already answered on the Full-Disclosure mailing list > - the OSVDB Vendor Dictionary contains a record for SAP > - even the SecurityFocus site has some references to this email > address : http://www.securityfocus.com/columnists/415 You're not being rude at all-- that was my point about security@xxxxxxx "being somewhat obvious." RFC states the use of a "security" mailbox. But in the absence of any official reference, you really don't know if it is a valid contact or not. The main point was that when someone goes to a vendor's domain and clicks "contact us" there should be a security reference there. That fact is evident when you consider that this thread wouldn't exist in the first place had SAP simply provided that information. A security researcher shouldn't have to Google various machinations of possible security contact references, nor should they have to search off-site security portals (and have to trust the results) to see if a particular email address exists when it is trivial to stick a link on vendor's "official" page... It's really not that big of a deal. t
