lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: hellnbak at nmrc.org (hellNbak) Subject: [OT] Re: Quick Question On Mon, 17 Mar 2003, Georgi Guninski wrote: > No special incentive. Hint: It is not for the money, it is not for the fame. I call BS on this one Georgi. From; http://www.guninski.com/me.html "Most of the the other consultants are using the result of my security research, so why don't you do business directly with the source?" It is clearly a "promote the consulting" type thing. Not that there is anything wrong with that. Just be honest about it. > There is no official norm as far as I know. The owner of the 0day has the > intellectual property over it and can do whatever he wants with it. > I personally have sympathy for open source projects and do my best the problem > to be fixed officially before I go public. First notify the software developer > in this case. This symapthy does not apply for commercial vendors in whose > licence agreements is written that the product does not fit for any purpose. There have been many accepted norms by *most* researchers and as you know Georgi, there is currently a draft disclosure guideline floating around not to mention RFPolicy. http://www.vulnwatch.org/papers/draft-christey-wysopal-vuln-disclosure-00.txt and http://www.wiretrip.net/rfp/policy.html Yes these vary a little and not everyone agrees with every part of each of them but the bottom line is, a responsible researcher would take the time to notify a vendor and give them each a set time to deal with things. Not play favorites with whomever is paying the bills or whomever you happen to dislike this week. More Disclosure papers and information is available at; http://www.vulnwatch.org/disclosure.html > Generally no. The only exception for me was Netscape - they had (probably also > have, check at their site) a bug bounty program, which basically means paying > for reproducible security bugs. Did they not have you on contract doing other security testing? How much did you get for the IE vulns you disclosed with zero vendor cooperation? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak@...c.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Powered by blists - more mailing lists