On Sun, Apr 28, 2013 at 04:39:55PM -0300, Ulises Cuñé wrote:
I send you a new Security Report.
Regards, U
2013/4/27 Nick Mathewson nickm@alum.mit.edu
On Sat, Apr 27, 2013 at 7:16 PM, Ulises Cuñé ulises2k@gmail.com wrote:
I want colaborate with Tor project.
I send a document of analys source code about the lasted version
Well, looks like I'm spending my evening combing through this thing looking for true-positives. If you find any that aren't false-positives --- particularly security-relevant ones --- please send me a gpg-encrypted mail or something. Sending them to the mailing list like this isn't so great.
(Does the Fortify license actually let you do this? I thought most tools like this were a little picky about what code you could run them on, and what you could do with the results.)
best wishes,
Nick
Hi Ulises,
If you really want to collaborate, there are numerous different ways you can do it. As an outsider myself, I understand it's difficult to decide how exactly you can help and make improvements to Tor and the Tor ecosystem. However, providing these reports in this way really is not the best method to establish a collaborative relationship with the project.
The devs are really friendly, as I've discovered, so in the future it is probably best if you contact them directly (as Nick described) and discuss any (potential) vulnerabilities you've found rather than sending an entire list of potential vulnerabilities to an open list.
- Matt