[Full-disclosure] How to Report a Securiyt Vulnerability to Microsoft

[jamie fisher <contact_jamie_fisher@xxxxxxxxxxx>]

Hi...  For what it is worth I wanted to wade into this discussion pool.  
Recently I found a BO at rad.msn.com and published it to Full Disclosure but 
not without first contacting Microsoft with my findings.  As it transpires I 
had sent my findings to the wrong email address.  To cut an uninteresting story 
short, through an itterative process Microsoft and I worked together (no money 
involved - and I shouldn't think so either) to understand and resolve the 
issue.  Suprisingly I found the people at Microsoft very friendly; the sort of 
people I'd probably have a pint with at the pub on the weekend.
 
Personally I'm vendor OS agnostic, i.e., I dont give a rats arse as to whether 
you're alligned with Linux, IBM, VMS, Microsoft or Mr Crappy's OS.  As a 
security consultant, and with politics out of the way my only interest is 
whether the OS or product can be secured well.  In terms of my experience in 
finding security vulns and flaws in code I'm quite green, but I do know that it 
is essential for me to foster a good working relationship with vendors if I am 
to be anything other than a 'here is my big whoopie security vuln: fUx to M$' 
type of security consultant.
 
Perhaps Microsoft genuinely thought it about time another anouncement was sent 
to FD to keep the education process from stalling.  Personally I think they're 
doing a stellar job!

Send instant messages to your online friends http://uk.messenger.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/