[VOIPSEC] Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities
Raul Siles
raul.siles at gmail.com
Tue Apr 3 09:07:37 CDT 2007
Shawn,
Your comments and concerns are directly related with a topic I privately
suggested to VOIPSA a couple of days ago about VoIP-related vulnerabilities
(didn't hear from VOIPSA yet). My suggestion was related with the creation
of a VoIP Vulnerabilities and Exposures (VVE) service, similar to CVE or WVE
but just focused on VoIP. I think VOISA should lead it. The VWE service
could apply a standard and homogeneous threat rating, as you wisely suggest.
I'd love to hear opinions from others about this initiative.
FYI:
- Security: http://cve.mitre.org/
CVE: Common Vulnerabilities and Exposures
- Wireless: http://www.wve.org/
WVE: Wireless Vulnerabilities & Exploits
--
Raúl Siles
GSE
www.raulsiles.com
On 4/3/07, Shawn Merdinger <shawnmer at gmail.com> wrote:
>
> OK, I was waiting for someone else to bring this up, but nothing
> yet...must've been a case of the Mondays.
>
> Sipera VIPER folks, a few quick questions:
>
> 1. Concerning Sipera's recent VoIP phone advisories, why do your
> threat ratings (high, moderate, etc.) differ from the advisories
> issued by RIM? I was hoping (a guy can dream, right?) there was
> coordination and everyone was on the same page...RIM folks? Any
> comments? Maybe this is an opportunity for VOIPSA to create a "vendor
> code of conduct" to lead the community disclosure process?
>
> 2. Concerning Sipera's "Generic" advisories, they are very, very,
> vague -- with no information on impacted vendors, status of fixes,
> etc. What's going on here? Is there a Sipera policy in play? If
> you've notified vendors who are not fixing or have ignored you, what's
> the next course of action?
>
>
> http://www.sipera.com/index.php?action=resources,threat_advisory&all=Generic&
>
> 3. Is Sipera VIPER Labs planning to publish vulnerability notices
> more publicly (full-disclosure, bugtraq, etc.) in the future -- or
> will they continue to be released quietly? Btw, you might refer to my
> recent VOIPSA blog post on questions to ask vendors, #6 Vendor
> Security Response.
>
> Kind regards,
> --scm
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
More information about the Voipsec
mailing list