[Info-vax] VSI Website Form for Reporting Potential Security Problems
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Feb 26 19:27:28 EST 2018
On 2018-02-26, DaveFroble <davef at tsoft-inc.com> wrote:
> Simon Clubley wrote:
>>
>> One thing missing from the form is a way to securely send files to VSI.
>>
>> There either needs to be a file upload option or a public key that
>> can be used to send files to VSI encrypted.
>>
>> If you look at the HPE security reporting page at:
>>
>> https://www.hpe.com/h41268/live/index_e.aspx?qid=11503
>>
>> you will see HPE offers security vulnerability reporters a public key
>> and an email address to use.
>>
>
> Perhaps VSI chooses to handle each case uniquely?
>
That would not be a good way to do things and does not bring any benefits.
The point of a well known, high profile and long-lived public key is
that it helps to establish a chain of trust and helps make sure that
you really are talking to the vendor.
In addition, having incident specific public keys means they all need
to be managed and stored.
For routine security issues, I'm actually quite relaxed about whether
it's a file upload as part of the submission or encrypted email using
a well known public key.
For the former to be directly compromised, you would have to fake the
website certificate at which point you are probably dealing with state
level actors anyway and extremely sensitive submissions (such as an
unauthenticated remote total system compromise) would come with an extra
level of precautionary paranoia anyway.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list