lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 9 Aug 2007 01:07:12 +0000 (UTC)
From: Steven <hairpinblue@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Right, or wrong?

On Tue, 07 Aug 2007 17:46:51 -0400, Jared DeMott wrote:

> Is it morally right, wrong, don't know, don't care, good business, bad
> business, etc.?  Either way we're moving away from that model, but I was
> just curious how others on FD see it.

That depends on how much I paid for the software and what kind of license 
it has.

If I paid money for the software and I find a bug then I've become a free 
beta tester.  Nobody else works for free.  Why should I?  I advocate the 
model of notifying the vendor, give them a standard galactic week (or a 
few business days) to respond and, if negotiations aren't to my liking, 
put the bug on a public list.  The interest here is not to wreak havoc 
but to apply a force feedback sending two signals to proprietary 
vendors:  ) write better code and ) pay for your beta testers.

If the software came gratis, free, open, share, trialware, crippleware, 
or CCGMS-Orchidware then I accept some responsibility for being a 
contributing beta tester.  In this scenario there is some moral 
obligation to ensure that the vendor is the first to know of the bug.  If 
I find a bug and my coffee was good that day then I'll send a 
notification to the development maintainers.  If my coffee sucked or if 
someone forgot the sprinkles on my donut then I keep the bug in my own 
personal files until I feel like disclosing it.  If the vendor does not 
acknowledge the bug within a standard galactic week (or a few business 
days) then it goes on a public list.  If the vendor does acknowledge the 
bug then, as a contributing beta tester with a somewhat moral obligation, 
I would make an honest effort to keep the bug under wraps until it has 
been fixed.

If tomorrow's donut is still missing sprinkles, though, it may become 
progressively more difficult to keep the bug quiet.  I tend to talk more 
at the water cooler when my donut has upset me.  I think that's part of 
being human.

In anticipation of people asking about personal info, or bank records, or 
a bug that suddenly brings down the power grid of the entire world and 
launches all of the nuclear warheads:  Hey, dumbasses, maybe someone 
should've thought about that before siphoning millions of dollars into, 
endlessly promoting, and ensuring the business success of pure crapware 
vendors and crap platforms (such as endlessly extensible HTML) for the 
sole purpose of monetary profit.  It's hardly my fault if mankind's 
idiocy and greed results in its own extinction.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ