| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <F151Vvjvxo6AmX3qrB000000f92@hotmail.com> From: defender242 at hotmail.com (Defender Defender) Subject: Valid disclosure analogy Mr. Guninsky, you want real world? Here is real world... You are client of 'bank A'. You find out about a way to break in 'bank A' in a quite complicated and tricky manner, but yet possible. You inform 'bank A', but no answer! What to do? a) Dont do anything: all banks are vulnerable at some point. It's all a matter of risk, and keeping it secret is the best way to keep the risk at its lowest. Furthermore, the vulnerability does not compromise the quality of the service itself; b) Your money is at risk: remove it from 'bank A', put it in 'bank B'; c) Break in 'bank A' and steal other people's money, get plane ticket for bermudas; d) The evil 'bank A' put people at risk. Regardless of fact that you are not the owner of the bank, nor that you represent the interest of each and every of its clients, take the initiative to inform the world of the vulnerability details, how to exploit it, and if possible, make a point-and-click robot that breaks into the bank and steal money for you, and give a free copy to everyone who wants one; Yes, maybe you may see now, being the client of a vendor does not give you absolute right on the vendor nor its other clients. At very best, not happy about it? Switch vendor, and shut the fuck up. _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Powered by blists - more mailing lists