[VOIPSEC] Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities

Sipera VIPER Lab viper at sipera.com
Wed Apr 4 11:49:45 CDT 2007 

Thank you for your interest and questions. 
 
1.
According to our disclosure policy currently in effect, Sipera VIPER
Lab notifies equipment vendors, at least 30 business days in advance,
of Specific Threat Advisories and works with each of these vendors to
publish a response with minimal difference, fix the vulnerability
and/or identify other solutions to these security issues. These
solutions are published along with the Threat Advisory.   
 
2. We
categorize threat advisories into "Generic" and "Specific". Unlike
specific advisories, generic threat advisories are largely a result of
theoretical analysis of protocol standards-- no specific products are
tested. As a result of assessing specific products, we may discover
issues that relate to one or more of generic threats.  
 
3. For
some reason, if a vendor does not respond, we continue trying to
contact the vendor using all possible channels for specific period of
time; even after publishing advisories. 
 
4. VoIP Threat Advisories are posted at http://www.sipera.com/viper as a service to Sipera’s customers and the general public. More public disclosure is currently under consideration. 
 
As
a part of security research community, we are glad to work with VOIPSA
to improve and standardize overall security of VoIP products and
solutions.  
 
Sincerely, 
Sipera VIPER Lab 
www.sipera.com/viper 
 
----- Original Message ----- 
From: Shawn Merdinger  
Sent: Tue, 4/3/2007 9:10am 
To: Raul Siles  
Cc: Voipsec ; security at rim.com; Sipera VIPER Lab  
Subject: Re: [VOIPSEC] Questions about recent Sipera reported RIM Blackberry (and other VoIP phone) vulnerabilities 
 
On 4/3/07, Raul Siles <raul.siles at gmail.com> wrote: 
> of a VoIP Vulnerabilities and Exposures (VVE) service, similar to CVE or WVE 
> but just focused on VoIP. I think VOISA should lead it. 
 
Hi Raul, 
 
A fine idea, so long as we have the peeps to maintain and _really_ 
have quality intel in the DB.  Of course, lots of folks on this list 
are probably too busy making boat payments -- any university 
professors/undergraduate/graduate students on the list have a 
hankerin' for some indentured servitude...er, internships? 
 
Thanks! 
--scm

More information about the Voipsec mailing list