lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Dec 2013 12:29:10 -0600
From: Jordon Bedwell <envygeeks@...il.com>
To: Gary Baribault <gary@...ibault.net>
Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk>
Subject: Re: Where are you guys standing re: the (full)
	disclosure

On Fri, Dec 13, 2013 at 12:15 PM, Gary Baribault <gary@...ibault.net> wrote:
> Of course, all software companies would love for the disclosure to wait
> for the fix to be released, and often, if the delay is considered
> reasonable by the hacker in question who found the bug, then that's what
> happens. I think it's only in the case where the company considers the
> bug to be minor or non existent, and they are asking for a ridiculous
> delay that many hackers will say, 'tough luck I'm disclosing on xx' and
> he takes his chances that most of us agree with his decision. As Mikhail
> said, if the hacker came across the bug without any illegal means then
> he should be fine after the release (but IANAL).

It's this so called "hacker" that defines this so called "time limit"
which makes it both a moral and an ethical decision of your own
making. If you don't see that the release schedule is fit.  The fact
of the matter is that in large companies sometimes it  takes time to
release updates and if you haul off and release a major security bug
because you don't feel that the time line fits in with your guidelines
that is your ethics decision.

Most people do not disclose because of time lines, they disclose
because of lack of updates and information on what is going on,
companies are told (for example) "please respond within 90 days to let
me know if you have fixed it and when release will happen so we can
coordinate or I will disclose it."  More often than not when dealing
with people I find that as long as you keep them informed of what's
going on and when it's going to happen and that they will get credit
for helping then they are more than happy to work with you.

I don't know where you got this magical idea that ethical security
researches just haul off and release a security bug if they think
Microsoft or Apple took a week too long to release  the update.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ