EVE Search - Sticky:New dev blog: Responsible Disclosure

All Channels

EVE Information Portal

Sticky:New dev blog: Responsible Disclosure - Reporting Security Issues

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Author	Thread Statistics \| Show CCP posts - 24 post(s)
MailDeadDrop Rage and Terror Against ALL Authorities 13	Posted - 2011.09.22 22:07:00 - [1] - Quote CCP Sreegs wrote: All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. Given how things played out with the first release of the new forums, I can conclude one of several things: 1. The procedures (above) were not in place at the time, and thus the peer and 3rd party reviews did not occur. 2. The procedures were in place but were not followed. 3. The "peers" and "reputable third parties" were incompetent. 4. The peers and/or 3rd parties reported the blatant security problems but CCP chose to do nothing. Care to tell us which it was? MDD
MailDeadDrop Rage and Terror Against ALL Authorities 13	Posted - 2011.09.22 23:14:00 - [2] - Quote CCP Sreegs wrote: MailDeadDrop wrote: CCP Sreegs wrote: All code that is written is peer reviewed and subject to rounds of internal testing. Prior to publication of the code, a reputable third party performs a vulnerability analysis of the codebase that will be published. snip MDD Yeah let me get right on that. While I'm not exactly pleased with the tone of your reply, I'll have to say I am glad you did reply. Really. So maybe my initial posting was more snide than it should have been. And perhaps this topic doesn't exactly follow the main thrust of the dev blog. Hopefully you'll agree that the initial rollout was rather calamitous, and that there are lessons to be learned from how it came to happen. I suppose the root of my question is: did you (as The Security Guy) determine how it came to happen? A simple "yes", "partially", or "no" response is all that I'm seeking. Well, that and the realization that if the answer is "no" that maybe you should go ask those questions. On a completely tangential topic, I've seen recent discussions on the petition queues, and how the security-related (non-exploit) petitions take a substantially larger share of :effort: to disposition. I also recall that the 2010 FanFest goodie bag included an authenticator (a la RSA SecureId fob). It seems to me that allowing, perhaps even mandating, the use of those fobs for login would dramatically reduce the incidence of the "hacked account" security petitions. Would you please add "login security" to the list of topics for you to cover in the next dev blog you write (hopefully SoonGäó)? Thanks for your time. MDD

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.