On Sat, 20 Mar 2010, William Pitcock wrote:
If you're a 15 year old kid and you just discovered a way to own the latest IOS, for example, how do you know who to tell about it?
Read the manual? Most products and open source projects have a manual which includes information about contacting the vendor or project. If you don't have the manual, but know how to use a search engine, try a search for "reporting security vulnerabilities". Most major IT vendors and open source projects have a security reporting page. Some people have suggested vendors and projects have a common URL such as ".../security" with security information. For example if you found a vulnerability in IOS, look up the following URL to find out Cisco's reporting contacts: http://www.cisco.com/security Report a potential vulnerability in Cisco products: psirt@cisco.com Urgent technical assistance for non-security issues that involve Cisco products: Cisco Technical Support 800 553 2447 (U.S.) Worldwide Contacts Emergency response to active security incidents that involve Cisco products: PSIRT 877 228 7302 (U.S.) +1 408 525 6532 (outside U.S.) Report an incident involving the Cisco corporate network: infosec@cisco.com If you still don't know who to contact, CERT/CC maintains a world-wide map of national computer security incident response teams. http://www.cert.org/cert/map_open.html Although some of the "intra" forums between CSIRT, vendor, project, provider, researcher communities aren't open to everyone, e.g. a CSIRT forum may only have CSIRTs, an academic forum may only have academics; each of the CSIRTs, vendors, projects, providers have contacts for reporting vulnerabilities that may affect their constituencies.