PGP key for vulnerability reports

Richard Johnson rjohnson at sourcefire.com
Mon Nov 18 16:07:16 EST 2013


Ethan, can you please confirm receipt of these vulns?


On Wed, Nov 13, 2013 at 8:35 PM, Richard Johnson <rjohnson at sourcefire.com>wrote:

> Please find some of the security bugs we found attached. I've included my
> public key exported to ascii as well. Let me know if you have any trouble
> reproducing or understanding the bugs.
>
>
> Cheers,
>
> Richard Johnson
> Vulnerability Development Lead
> Sourcefire VRT
>
>
> On Fri, Oct 11, 2013 at 4:28 AM, Ethan Blanton <elb at pidgin.im> wrote:
>
>> Richard Johnson spake unto us the following wisdom:
>> > Hello, our research team has found a number of vulnerabilities in
>> > libpurple, including fully controlled remote execution. What is the
>> proper
>> > procedure for submitting bugs?
>>
>> You are following it.  :-) For security-related bugs, please send the
>> details to this mailing list, and we will arrange for a CVE (unless
>> you wish to do so yourselves), bug fix, embargo with our packagers,
>> and a public release date.  As we are a large all-volunteer project,
>> these things normallly take some time -- however, we will proceed as
>> rapidly as possible for a remote execution vulnerability.  As I am
>> sure you understand, we do ask that you respect the embargo date we
>> set and withold your own publication until that date.  Please provide
>> us with whatever crediting information you wish for us to include in
>> the CVE and news items -- research institution, individual discoverer,
>> email address, etc.
>>
>> If you wish to encrypt your report, you can encrypt it to my public
>> key, 0x771fc72b.  I am currently traveling and there may be some
>> latency for a confirmation, but I will distribute the information as
>> appropriate.
>>
>> Ethan
>>
>
>
>
> --
> Richard Johnson
> Sourcefire VRT
>



-- 
Richard Johnson
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131118/3d301af8/attachment.html>


More information about the security mailing list