Archive-name: computer-security/vendor-contacts
Posting-frequency: monthly
Last-modified: 1995/5/04
Version: 2.01
Vendor Contacts FAQ
Version: 2.01
-------------------------------------------------------------------------------
This Security FAQ is a resource provided by:
Internet Security Systems, Inc.
2000 Miller Court West Tel: (770) 441-4531
Norcross, Georgia 30071 Fax: (770) 441-2431
- Internet Scanner ... the most comprehensive "attack simulator"
available. -
-------------------------------------------------------------------------------
To get the newest updates of Security files check the following services:
mail info@iss.net with "send index" in message
http://iss.net/
ftp iss.net /pub/
-------------------------------------------------------------------------------
"It [Vendor Security Contact FAQ] is the kind of thing that makes you
look good at work when your boss decides he's joe security and wants
a patch (for like rdist - duh!) yesterday..." - Tim Scanlon, System
Analyst
Vendor Security Contacts: Reporting Vulnerabilities and Obtaining New Patches
The following FAQ is a list of security contacts to reach at various vendors
for reporting security vulnerabilities and obtaining new security related
patches.
With the rising number of people and hosts gaining access to the Internet, the
basic integrity of the Net needs to be maintained. Many of security incidents
that happen on Internet could have been avoided by installing security patches
that are available by vendors. It is important to get the recent patches and
ensure that your systems are configured properly. With intruders and their
underground network having quick access to security vulnerabilities, it is
important that administrators have security information available and not rely
on just One organization.
Here are the security contacts that information is available for:
* A/UX
* Cray Research
* Data General Corporation
* Dec
* HP
* IBM
* Motorola
* Next
* Novell
* SCO
* SGI
* Sun
Other important security contacts included are:
* CERT Contact
* CIAC Contact
* FIRST Contact
When reporting a new security bug, try to be as specific as possible about how
to reproduce it, which OS release (uname -a), and any other release numbers of
software that are involved.
-------------------------------------------------------------------------------
A/UX
Contact information for A/UX as follows:
* Send security related information to the following people:
o Erik E. Fair: fair@apple.com and CC: staff@apple.com
-------------------------------------------------------------------------------
Cray Research
Contact information for Cray Research as follows:
Cray Research customers should first direct questions and concerns to on-site
support personnel (if provided by their service contract). Other contacts
should be made through:
Technical Service Center
Cray Research, Inc.
655F Lone Oak Drive
Eagan MN 55121
USA
tel. +1-612-683-5600
email. support@cray.com
-------------------------------------------------------------------------------
DG, Data General Corporation
Contact information for DG is as follows:
* Send security related information to the following person:
o Kevin Peterson (peterson@dg-rtp.dg.com)
Data General Corp
62 Tw Alexander Drive
RTP, NC 27709
Phone: 919-248-6011
Patches (security or nonsecurity) are distributed through our Support Centers
(and/or local office).
-------------------------------------------------------------------------------
DEC, Digital Equipment Corporation
Contact information for DEC is as follows:
* Send security related information to the following person:
o FIRST Contact: Rich Boren rich.boren@cxo.mts.dec.com, (719) 592-4689
Security patches are issued by Customer Support Centers.
-------------------------------------------------------------------------------
HP, Hewlett Packard
Contact information for HP as follows:
* For security concerns, questions, or problems, you can contact:
o security-alert@hp.com
Obtaining Patches:
Patches and mailing lists are available through the HP SupportLine service.
More information is available in their bulletin. The HP SupportLine mail
service is available to anyone who can send electronic mail via the Internet.
-------------------------------------------------------------------------------
IBM, International Business Machines
Contact information for IBM as follows:
* IBM support @ 1-800 237-5511
* Email to services@austin.ibm.com
Send security related information to Nick Trio (nrt@watson.ibm.com, a.k.a.
(postmaster@ibm.com) Unix person on IBM's Computer Emergency Response Team) and
Alan Fedeli ( fedeli@vnet.ibm.com).
There are some security patches on anonymous FTP software.watson.ibm.com in
pub/aix3 for AIX.
Security patches are issued through your IBM sales office.
-------------------------------------------------------------------------------
Novell, Inc.
Contact information for Novell as follows:
* Phone number: 800-4-UNIVEL
Security patches are available from:
* Compuserve
* ftp from ftp.novell.com
* floppy from the Novell support folks
-------------------------------------------------------------------------------
Motorola
Contact information for Motorola is as follows:
For security concerns, questions, or problems with Motorola Products
contact your sales or support representative.
For security concerns, questions, or problems related to incidents in
progress or Motorola's presence on the Internet:
* +1-708-576-1616 (for emergencies)
* +1-708-538-2153 (fax)
* mcert@mot.com
For Motorola Computer Group:
For security concerns, questions, or problems with Motorola Products
contact your sales or support representative.
For security concerns, questions, or problems related to incidents in
progress or MCG's presence on the Internet:
security-alert@mcd.mot.com
For emergencies, contact the emergency number listed above.
Starting in 1995, MCG has started to provide certain security patches
for MCG products on anonymous ftp from ftp.mcd.mot.com in
pub/patches. Patches are also available via your sales or support
representative.
-------------------------------------------------------------------------------
NeXT
Contact information for Next as follows:
* Technical Support: ask_next@next.com
* Phone number: 800.848.6398
Address:
900 Chesapeake Drive
Redwood City, CA 94063
-------------------------------------------------------------------------------
SCO
Contact information for The Santa Cruz Operation (SCO):
* Send security related information to: security-alert@sco.com
Security patches are issued on an as-needed basis and will be available at
ftp.sco.com and its mirrors.
When submitting information about a security problem, please include output of
the following commands:
uname -X
swconfig
hwconfig -h (if hardware-related)
and as much detail about the problem as you can muster.
-------------------------------------------------------------------------------
SGI - Silicon Graphics Incoporated
Contact information for SGI as follows:
* Send security related information to: security-alert@sgi.com
If there is no response, try Dave Olson (olson@sgi.com) or Miguel Sanchez
(miguel@sgi.com).
* Inside US:
o Support line: 1-800-800-4SGI
* Outside US/Canada:
o Contact your local SGI support provider
* FTP Site:
o ftp.sgi.com (192.48.153.1)
o When available, patches are placed in the directories
+ security
+ sgi/IRIX4.0
+ sgi/IRIX5.0
-------------------------------------------------------------------------------
Sun
Contact information for Sun as follows:
* email: security-alert@sun.com
* phone: 415-688-9081
* Fax: 415-688-9101
* postal:
Sun Security Coordinator
MS MPK2-04
2550 Garcia Avenue
Mountain View, CA 97703-1100
For reporting security vulnerabilities and problems, Sun strongly recommends
that you report problems to your local Answer Center and your representative
computer security response team, such as CERT. In some cases your local Answer
Center will accept a report of a security bug even if you do not have a support
contract. An additional notification to the security-alert alias is suggested
but should not be used as your primary vehicle for reporting a bug.
Sun Security Bulletins
Sun Security Bulletins are available free of charge as part of our Customer
Warning System. It is not necessary to have a Sun support contract in order to
receive them.
To subscribe to this bulletin series, send mail to the address
"security-alert@Sun.COM" with the subject "subscribe CWS your-mail-address" and
a message body containing affiliation and contact information. To request that
your name be removed from the mailing list, send mail to the same address with
the subject "unsubscribe CWS your-mail-address". Do not include other requests
or reports in a subscription message.
Due to the volume of subscription requests Sun receives, Sun cannot guarantee
to acknowledge requests. Please contact the security office if you wish to
verify that your subscription request was received, or if you would like your
bulletin delivered via postal mail or fax.
Sun Security Bulletins are archived on ftp.uu.net (in the same directory as the
patches) and on SunSolve. Please try these sources first before contacting the
security office for old bulletins.
-------------------------------------------------------------------------------
Other Resources
-------------------------------------------------------------------------------
CERT (Computer Emergency Response Team)
The CERT (Computer Emergency Response Team). To report a vulnerability contact
CERT at:
* E-mail: cert@cert.org
Past advisories and other information related to computer security are
available for anonymous FTP from cert.org (192.88.209.5).
See the Security Resources FAQ for more information on CERT and vulnerability
reporting forms.
-------------------------------------------------------------------------------
CIAC (Computer Incident Advisory Capability)
The CIAC (Computer Incident Advisory Capability) of DoE. To report a
vulnerability, contact CIAC at
* voice: 510-422-8193
* fax: 510-423-8002
* stu-iii: 510-423-2604
* or mail ciac@llnl.gov.
Previous CIAC bulletins and other information is available via anonymous ftp
from ciac.llnl.gov (ip address 128.115.51.53).
See the Security Resources FAQ for more information on CIAC advisories and
mailing lists.
-------------------------------------------------------------------------------
FIRST (Forum of Incident Response and Security Teams)
FIRST (Forum of Incident Response and Security Teams). To report a
vulnerability, contact FIRST at
* voice: 310-975-3359
* fax: 310-948-0279
* web: http://first.org/first
* or mail first@first.org.
-------------------------------------------------------------------------------
Acknowledgements
Thanks go to the following people for providing new or updated information to
be included in this FAQ:
* Dave Millar for helping provide a portion of the information.
* Steve Cooper, spcooper@llnl.gov
-------------------------------------------------------------------------------
Copyright
This paper is Copyright (c) 1994, 1995
by Christopher Klaus of Internet Security Systems, Inc.
Permission is hereby granted to give away free copies electronically. You may
distribute, transfer, or spread this paper electronically. You may not pretend
that you wrote it. This copyright notice must be maintained in any copy made.
If you wish to reprint the whole or any part of this paper in any other medium
excluding electronic medium, please ask the author for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the user's own
risk.
Address of Author
Please send suggestions, updates, and comments to:
Christopher Klaus <cklaus@iss.net> of Internet Security Systems, Inc.
<iss@iss.net>
Internet Security Systems, Inc.
Internet Security Systems, Inc, located in Atlanta, Ga., specializes in the
developement of security scanning software tools. Its flagship product,
Internet Scanner, is software that learns an organization's network and probes
every device on that network for security holes. It is the most comprehensive
"attack simulator" available, checking for over 100 security vulnerabilities.
--