Community Feed Contributions - How to contribute in a free way without leaking info about private network / business aspects?

I wanted to contribute a printer banner in order to help you improve the GCF feed service.

It’s not especially private info in itself, but “G” may not yet have had access to every printer model in the world, so it might be a help for the commercial endeavor as well as for the GCF/GSE community. Of course the best would be to send a complete GPLd NASL, which may or may not come later anyway, I don’t know yet as far as I’m concerned for now.

I would like my work to be useful to GCF and not only to GSF, which is my personal preference because due to a strong universalist “Weltanschauung” I want my work to be useful for humanity as a whole and not just for specific parties, but wouldn’t mind all too much if “G” used it for it’s GSE only and doesn’t want to share, because I alsos don’t really like to put fetters on anybody about anything, being a proponent of absolute liberty for anybody, albeit with calling to universal love at the some time, and to generosity as well.

Also, I care about OpSec, e.g. not disclosing any info about networks I attend to or work in myself. So I don’t want to send an E-Mail to a “G” because that might connect my username and registration email to info about a model used in a network of the type I just mentioned.

But sending said banner wasn’t possible with the Forum platform in a private way. So this is what happened:

  • I tried to identify if info about said manufacturer/model is in the SecInfo Database, but I could find any specifics.
  • I tried a private Message to a “G” member at the post which made me want to help out, but after sending it, I received an error that the message was too long.
  • I tried to locate the member’s profile and send a private message to him, but he had no public profile.
  • Then I sent it to another member who has a private profile, it got sent, but I noticed that the message was cut, so he might have gotten the HTTP header but not the body of the banner of the specific model. So I asked him if he wants the rest and how to proceed. He may have the complete thing if it’s saved in their Forum DB, or in some log, or maybe not if the Forum SW cut it before saving the complete message.
  • Then I gave up, because I didn’t find a private channel to contribute in the way I wanted in a reasonable amount of time.
  • I said above, also prefer to work for all and not only for some, so the threshold to continue may have been lower than otherwise.

This “otherwise” implies another thing:

First, I consider anonymous help to a commercial entity a good thing, even if I prefer greenbone’s sharing to GCF of VTs to GSF right away, because I consider greenbones commercial clients important enough for all of our publicly used infrastructure that this alone drives contributions of mine even if they freely choose not or “not yet” to give results to which I contributed back to GCF.

I didn’t find out yet from the infos on the forum how the triage of “this goes into GCF or rather into GSF” and “when to push it from GSF to GCF” is done.

I do not really like to work if it’s useless for me or other people, although, of course, this is sometimes unavoidable, so I accept a certain uncertainty.
But since I also don’t know easily if info about a specific model is in your GSF (without GCF) databases, this somewhat lowers my threshold of contribution into an uncertain result. Is there a good way to find out, so that “The Community” might spare unneccessary contributions (for contributors and your side)? On the other hand, greenbone’s OpSec (linked to their clients’s OpSec) might mandate to keep that info as private as possible.

So maybe that’s a little stumbling point for free contributions you might think about a bit or, if that is already thought through more than I expose here, to give some information about your policies which could help The Community to better evaluate and position it’s efforts.

Hi,
doing it this way is more efficient than direct messages :wink:
You can check this: Call for info: Unknown OS and Service Banner Reporting

Have a nice day
Moving this to https://community.greenbone.net/c/vulnerability-tests

1 Like

Well, doing what the referenced link talks about, is precisely what I tried, to said member, and which didn’t work.

Maybe I’m just too “young” (in the Forum, that is), or maybe he didn’t have his profile private at the time when he posted the linked topic, but from my perspective I did exactly what was suggested.

Please also note that I sent the message to you then via PM, but that the message which was feedbacked to me was cut, so I had no way of knowing if it passed or not, so maybe that might warrant some tweaking, it only adds yet another uncertertainty to the package.

Of course, posting just one banner is a little thing and you might already have it anyway, but I’m not only trying to get this little thing across.

I’m also trying to walk my talk and contribute, efficiently, so this doubles as canary for bugs, difficulties, usability and documentation questions (including the forum) encountered on the way of one member of the Community to help you building “your” Community.

I want the InfoSec Community to succeed, which naturally includes greenbone and “it’s” Community.

Hi there,

to answer your very first question: Hide what should be hidden and give as much information as possible.

Writing a private message is still some kind of a “free way”. However the colleague you’ve (probably) written your private message to is currently absent. You can get in contact with me or _OR and we will try to help you with the best of our abilities. :slight_smile:

Regards

1 Like

Ok, thank you for trying to help me help you.
The problem was that the private message was cut unexpectedly.

Solution was to enclose the relevant curl result of the banner request (e.g. html code) in blockquote.
I might as well have uploaded it, but that occurred to me only after the success with the blockquote. facepalm
And of course, why would the message accept a complete html page in it’s body?

As far as I’m concerned, this question is solved.

2 Likes