Re: SAP Security Contact

To: Nick Boyce <nick.boyce@xxxxxxxxx>
Subject: Re: SAP Security Contact
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
Date: Wed, 10 Jan 2007 15:56:02 -0800
Cc: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:X-YMail-OSG:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Z6ynJxFj6rPy8gLYARiWJxddL8shYSVaWwoPC/NNvOYo7PY9ncQgbZWQWYEry0buLNlGCYDsN5vKEjcP5WMkowqDEqiQOwGaXsHBuYIRTDz1qBNPhnKLP8eSkbV92bD5wkAiFAAPntaT0XELxEn330OczOmlx5En4TNf/+xqKxc= ;
In-reply-to: <a847a3140701090609j63f09645g3da4c2c9a570f7a2@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <C1C41390.91E3%thor@xxxxxxxxxxxxxxx> <1168128858.22010.467.camel@localhost> <a847a3140701090609j63f09645g3da4c2c9a570f7a2@xxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

Security@xxxxxxxxxxxxx goes to the police/traffic department at acertain northwest USA software company.

Secure@xxxxxxxxxxxxx is the proper alias for security bugs.

:-)

Nick Boyce wrote:

On 1/7/07, Nicob <nicob@xxxxxxxxx> wrote:

security@xxxxxxxxxx is the only standardized security contact (as
defined by RFC 2142)


While nobody could argue with that, I've lost count of the number of
banks and similar organisations to which I've tried to report phishing
scams via their "security@" alias, only to get a bounce saying no such
address.

And in at least one case (org name escapes me now) the "security@"
alias turned out to be a *physical* security department, populated by
large gentlemen with peaked caps and bulging armpits ... so you can't
rely on "security@".

Nick Boyce

--

Letting your vendors set your risk analysis these days?http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

References:
- Re: SAP Security Contact
  - From: Thor (Hammer of God)
- Re: SAP Security Contact
  - From: Nicob
- Re: SAP Security Contact
  - From: Nick Boyce

Prev by Date: Jshop Server 1.3
Next by Date: Re: A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version)
Previous by thread: Re: SAP Security Contact
Next by thread: Re: SAP Security Contact
Index(es):
- Date
- Thread