Monday, May 25, 2009

My First Vendor Security Flaw Submission

I sent in my first security analysis/vulnerability to Oracle on Friday. It was for the product, Hyperion Web Analysis Studio 9.3. I've heard horror stories about vendors abusing security professionals, rather than being thankful. I hit send with a bit of trepidation. I got a fairly quick reply (12 hours or so) that was very pleasant, thanking me for the analysis and asking for a few clarifications. It was clear that my analysis was thoroughly read and understood. I must say, they are friendly folks. I'm waiting to hear back as to when I can blog on my analysis, so something will be forthcoming in the 3 4 weeks.

One thing that was annoying was that it took me quite a while to figure out where to send the information.

On a side note, the flaw is not serious, as long as you use SSL, which you should be doing anyway.

No comments:

Post a Comment