13 Mar
2019
13 Mar
'19
10:41 a.m.
Dear SPARTA partners,
Since we have a certified pentester in our team (but no person-months
allocated to this in SPARTA), we could scan a bit more, but not without
a general "ok" from the coordinators. Not a full pentest though, we
don't have the time/resources to do that this month, but maybe we could
at least catch any other basic problems if they exist.
No actual exploitation attempts without a separate agreement, of course.
Enumeration only.
Best regards,
Adam Kozakiewicz
W dniu 13.03.2019 o 11:27, Nicolas Diaz pisze:
Dear SPARTA partners,
It could relevant to implement the following method called security.txt
in order to provide a channel for reporting vulnerabilities in a
coordinated way, especially for IT security researchers who are not part
of SPARTA.
For instance we have set-up security.txt on our website >
https://www.yeswehack.com/.well-known/security.txt
You will find documentation concerning this method by visiting the
official website > https://securitytxt.org/
Best regards,
nicolas diaz
On 13/03/2019 11:20, ANTIGNAC Thibaud wrote:
Dear SPARTA partners,
We now consider that issues #1 and #2 mentioned below have also been
fixed.
Do not hesitate to contact security(a)sparta.eu
<mailto:security@sparta.eu> for matters related to these issues or,
more generally, to report any security-related issue.
Best regards,
--
Thibaud Antignac
CEA List
*From: *ANTIGNAC Thibaud <thibaud.antignac(a)cea.fr>
*Date: *Tuesday 12 March 2019 at 16:36
*To: *"project.consortium(a)internal.sparta.eu"
<project.consortium(a)internal.sparta.eu>
*Cc: *<bodies.security-advisory-board(a)internal.sparta.eu>eu>,
"bodies.coordination(a)internal.sparta.eu"
<bodies.coordination(a)internal.sparta.eu>
*Subject: *Concerning the security issues disclosed on 12 March 2019
Dear SPARTA partners,
Thank you to Matthias for having pointed out these three security issues:
* #1 – reported on 2019 02 18, disclosed on 2019 03 12 – HTTP page
with form for MLs
* #2 – reported on 2019 02 18, disclosed on 2019 03 12 – Certificate
for https://server.sparta.eu
* #3 – reported on 2019 03 12, disclosed on 2019 03 12 – Public
access to MLs archives
#3, the most critical one, has been fixed almost immediately. #1 and
#2 have been addressed and tests are being made to ensure they can
also be considered as fixed.
The Project Security Officer of SPARTA (Florent Kirchner, CEA)
scheduled a Security Advisory Board meeting to discuss about this
incident and improve the procedures and technical measures. Meetings
with TNK (in charge of the IT infrastructure) and UBON (having
reported the issues) are also being scheduled to get more information
about the circumstances. A more complete description of the incident
will be sent once the whole situation is better understood.
The Security Advisory Board, composed of the Project Security Officer,
the Program leaders, the Ethics Committee chair, and the Dissemination
Committee chair can be contacted
at bodies.security-advisory-board(a)internal.sparta.eu
<mailto:bodies.security-advisory-board@internal.sparta.eu> (and security(a)sparta.eu
<mailto:security@sparta.eu> for external parties).
Do not hesitate to contact the Security Advisory Board or the
coordination at bodies.coordination(a)internal.sparta.eu
<mailto:bodies.coordination@internal.sparta.eu> for matters and
questions related to this incident. Please be sure we are fully
committed on its complete resolution.
Best regards,
--
Thibaud Antignac
CEA List
--
*YES WE HACK*
Twitter : @YesWeHack <https://twitter.com/yeswehack>
https://yeswehack.com
Twitter perso : @nicoladiaz <https://twitter.com/nicoladiaz>
PGP :: B8E5 208A FB90 3460
__________________________