lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 28 May 2009 15:27:00 -0600
From: security@...ern0t.net
To: bugtraq@...urityfocus.com
Subject: Re: Re: [InterN0T] AMember 3.1.7 - Multiple Vulnerabilities

InterN0T is about Hacking. (if you have seen the introduction)

To me, Hacking is primarily about learning how and why things works as they do and if they can be changed (improved or abused in this case) and of course, sharing what you find out so the community can benefit from it! 

Afterwards, the developers can learn to code more secure (if you find a vulnerability). However, as we all might know: Security is a human factor and will always be a problem.

If i would contact the vendor as the first thing each time, how would people be able to learn from my research if it's not even possible to get an earlier version where the vulnerability is included in?

Consider the alternatives (where i don't contact the vendor):
- Sell the vulnerability and know people will exploit people in the dark.
- Keep it to myself and exploit people.
- Share it among a little group of people and let them play/exploit with it.

Taking that into consideration makes public disclosure sound like a good option to me. :-)


All of the best,
MaXe

PS: Yes, i know people will exploit the issue / vulnerability in the public disclosure method, but in this case the dealer actually has a chance of fixing it and usually they will fix it faster because it's a lot more urgent. 

It might stress them, but if they just made sure all function calls and user input (forms) were validated properly then i wouldn't have been able to find these holes in the first place ;-)

Powered by blists - more mailing lists