[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
From: Maarten <fulldisc@xxxxxxxxxxxx>
Date: Mon, 5 Jul 2004 21:09:53 +0200

On Monday 05 July 2004 19:42, Eric LeBlanc wrote:
> On Mon, 5 Jul 2004, System Outage wrote:

> I agree with "System Outage".  Gmail clearly told us that their website is
> in BETA stage.

Beta, alpha, released, yada yada.  Gmail is OPEN for the public, albeit you 
need "an invitation".  Thus, enough reason to disclose security holes.

> For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
> this software MAY HAVE security holes.  That's why they want us to test
> this site before going to the public release, and it's our job to notify
> to the gmail team all bugs AND security holes we may find.  As long as
> this website is in beta stage, all advisory that someone may send in this
> list or elsewhere are NOT considered 'Security Advisory' for me.

Hm.  By that standard, we could not ever disclose stuff about microsoft 
software.  Cause their stuff is indefinitely beta, hahaha.  ;-)

> The original author may not receive answers from the Gmail Team, but this
> site is NOT IN PRODUCTION.  When gmail site will be official and when this
> bug is still there, NOW you can publish your security advisory.

So, the solution to having embarrassing security problems published is never 
declare the program "Released".  Can someone please tell microsoft? They'd be 
real interested to declare IE and Outlook beta-software forever in that case. 

> Futhermore, the best people for testing the software (bugs and security
> holes) is the public.  They can do many things which we will never
> thought or imagined.

Well now, isn't this  e x a c t l y  what's happening here ?

> BTW, I'm sure that the Gmail developers expect that the public will find
> some security holes...
>
> If we must publish all security advisorys about beta software, this list
> will be flooded...

The very reason to HAVE a beta test phase is to find and flush out bugs early. 
Doing that, the released program can be as flawless as can be.  So when would 
you suggest disclosing bugs is a good time ? Release date being too late... 

Maarten

-- 
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
  - From: Eric LeBlanc
- Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
  - From: Remko Lodder

References:
- Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
  - From: Eric LeBlanc

Prev by Date: Re: [Full-Disclosure] Gmail/Yahoo!
Next by Date: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
Previous by thread: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
Next by thread: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
Index(es):
- Date
- Thread