[VOIPSEC] Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities

[Shawn Merdinger]

OK, I was waiting for someone else to bring this up, but nothing
yet...must've been a case of the Mondays.

Sipera VIPER folks, a few quick questions:

1.  Concerning Sipera's recent VoIP phone advisories, why do your
threat ratings (high, moderate, etc.) differ from the advisories
issued by RIM?  I was hoping (a guy can dream, right?) there was
coordination and everyone was on the same page...RIM folks?  Any
comments?  Maybe this is an opportunity for VOIPSA to create a "vendor
code of conduct" to lead the community disclosure process?

2.  Concerning Sipera's "Generic" advisories, they are very, very,
vague -- with no information on impacted vendors, status of fixes,
etc.  What's going on here?  Is there a Sipera policy in play?  If
you've notified vendors who are not fixing or have ignored you, what's
the next course of action?

http://www.sipera.com/index.php?action=resources,threat_advisory&all=Generic&

3.  Is Sipera VIPER Labs planning to publish vulnerability notices
more publicly (full-disclosure, bugtraq, etc.) in the future -- or
will they continue to be released quietly?  Btw, you might refer to my
recent VOIPSA blog post on questions to ask vendors, #6 Vendor
Security Response.

Kind regards,
--scm