tag:blogger.com,1999:blog-13756280.post5939790835625269247..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: PayPal’s Vulnerability Disclosure Policy includes researcher protectionJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-13756280.post-47163040352509534192008-04-10T01:13:00.000-07:002008-04-10T01:13:00.000-07:00worth reading. thanksworth reading. thanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-58178502991887796732007-11-29T07:26:00.000-08:002007-11-29T07:26:00.000-08:00Thanks Security Retentive.Thanks Security Retentive.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-80652752747175374502007-11-28T11:04:00.000-08:002007-11-28T11:04:00.000-08:00I have posted some commentary on the policy here:h...I have posted some commentary on the policy here:<BR/><BR/>http://securityretentive.blogspot.com/2007/11/some-comments-on-paypals-security.html<BR/><BR/>I helped write the policy so hopefully my post will be useful.Andy Steingrueblhttps://www.blogger.com/profile/07177656204885181542noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16549586507637898382007-11-26T08:14:00.000-08:002007-11-26T08:14:00.000-08:00A healthy level of skepticism is appropriate. Whil...A healthy level of skepticism is appropriate. While I would expect PayPals policy to be refined from time to time, I believe their interests are in alignment with the general security researcher.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1612889772100322432007-11-25T15:58:00.000-08:002007-11-25T15:58:00.000-08:00I'm not sure if it will be useful in the future, b...I'm not sure if it will be useful in the future, but I have <A HREF="http://www.cutawaysecurity.com/blog/archives/212" REL="nofollow">posted</A> several SHA values of the statement on my site.<BR/><BR/>Go forth and do good things,<BR/>Don C. WeberAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-41026954999746204492007-11-22T18:39:00.000-08:002007-11-22T18:39:00.000-08:00For many organizations out there I can certainly a...For many organizations out there I can certainly agree with the skepticism, but not for PayPal IMHO. First though PayPal has no way of knowing how long a particular fix will take so it makes sense for them not to commit to a hard time limit so they must keep the language a little vague. From personal experience and witnessing disclosures from others, PayPal is really on top of things and fixed within days. I'd give them the benefit of the doubt.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16994107054011138782007-11-22T11:23:00.000-08:002007-11-22T11:23:00.000-08:00I agree this is a giant leap in the right directio...I agree this is a giant leap in the right direction.<BR/><BR/>Too bad "...all the guidelines outlined below." contain holes they can drive a MAC Truck through.<BR/><BR/>"Allow us reasonable time to respond to the issue before disclosing it publicly."<BR/><BR/>So basically they can decide that any time period (6mo, 1yr, 2yr) wasn't reasonable and "cya in court".Anonymousnoreply@blogger.com