[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability
- From: System Outage <system_outage@xxxxxxxxx>
- Date: Mon, 5 Jul 2004 12:07:33 -0700 (PDT)
I fully agree with you on this topic. I found it hard to believe users were
posting advisories for Gmail before public release. In my view all issues
should be directed to Gmail and if the user wishes to use lists, such as FD.
The user should wait until the service is available to the public and then,
perhaps, send it to FD for discussion.
The user could also state the discovery date and various other timeline dates,
to give the user some better acknowledgement in the advisory. This will prove
(If the user wishes it to be known) they did find the hole at the Beta stage
and that Gmail let it slip through the net.
I suspect -alot- of vulnerabilities will come to light of the week that Gmail
makes the service public. I think alot of users are holding back until then, I
maybe wrong though.
Cheerio
Eric LeBlanc <inouk@xxxxxxx> wrote:
I agree with "System Outage". Gmail clearly told us that their website is
in BETA stage.
For me, when a software is in 'BETA' (or 'ALPHA'), we SHOULD expect that
this software MAY HAVE security holes. That's why they want us to test
this site before going to the public release, and it's our job to notify
to the gmail team all bugs AND security holes we may find. As long as
this website is in beta stage, all advisory that someone may send in this
list or elsewhere are NOT considered 'Security Advisory' for me.
The original author may not receive answers from the Gmail Team, but this
site is NOT IN PRODUCTION. When gmail site will be official and when this
bug is still there, NOW you can publish your security advisory.
Futhermore, the best people for testing the software (bugs and security
holes) is the public. They can do many things which we will never
thought or imagined.
BTW, I'm sure that the Gmail developers expect that the public will find
some security holes...
If we must publish all security advisorys about beta software, this list
will be flooded...
E.
--
Eric LeBlanc
inouk@xxxxxxx
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
---------------------------------
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.