[VOIPSEC] Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities
shawnmer at gmail.com
Tue Apr 3 14:52:16 BST 2007
OK, I was waiting for someone else to bring this up, but nothing
yet...must've been a case of the Mondays.
Sipera VIPER folks, a few quick questions:
1. Concerning Sipera's recent VoIP phone advisories, why do your
threat ratings (high, moderate, etc.) differ from the advisories
issued by RIM? I was hoping (a guy can dream, right?) there was
coordination and everyone was on the same page...RIM folks? Any
comments? Maybe this is an opportunity for VOIPSA to create a "vendor
code of conduct" to lead the community disclosure process?
2. Concerning Sipera's "Generic" advisories, they are very, very,
vague -- with no information on impacted vendors, status of fixes,
etc. What's going on here? Is there a Sipera policy in play? If
you've notified vendors who are not fixing or have ignored you, what's
the next course of action?
3. Is Sipera VIPER Labs planning to publish vulnerability notices
more publicly (full-disclosure, bugtraq, etc.) in the future -- or
will they continue to be released quietly? Btw, you might refer to my
recent VOIPSA blog post on questions to ask vendors, #6 Vendor
More information about the Voipsec