<<< Date Index >>>     <<< Thread Index >>>

Re: SAP Security Contact



On 1/6/07 4:14 PM, "Nicob" <nicob@xxxxxxxxx> spoketh to all:

> Le vendredi 05 janvier 2007, Thor (Hammer of God) a écrit :
> 
>> Something like security@xxxxxxx may seem obvious, but it's better if you
>> list specific contact info so it can be easily found.
> 
> I don't want to be rude but :
> - security@xxxxxxxxxx is the only standardized security contact (as
> defined by RFC 2142)
> - googling security@xxxxxxx would bring some results
> - this was already answered on the Full-Disclosure mailing list
> - the OSVDB Vendor Dictionary contains a record for SAP
> - even the SecurityFocus site has some references to this email
> address : http://www.securityfocus.com/columnists/415

You're not being rude at all-- that was my point about security@xxxxxxx
"being somewhat obvious." RFC states the use of a "security" mailbox.  But
in the absence of any official reference, you really don't know if it is a
valid contact or not.

The main point was that when someone goes to a vendor's domain and clicks
"contact us" there should be a security reference there.  That fact is
evident when you consider that this thread wouldn't exist in the first place
had SAP simply provided that information.  A security researcher shouldn't
have to Google various machinations of possible security contact references,
nor should they have to search off-site security portals (and have to trust
the results) to see if a particular email address exists when it is trivial
to stick a link on vendor's "official" page...  It's really not that big of
a deal.

t