lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: BlueBoar at thievco.com (Blue Boar)
Subject: [Secure Network Operations,
 Inc.] Full Disclosure != Exploit Release

Strategic Reconnaissance Team wrote:
> 	Very good points.  I've considered most of these and they all make
> sense. As far as corporate politics are concerned, don't you think that
> exploit disclosure could hurt vendor relationships? Granted, we are not
> going to make our decision on that premise but it would be a nice thing
> to avoid. 

Given what I know about your business model (which, I understand, is you 
research or acquire vulnerabilities, notify the vendor, and see if they are 
intersted in consulting work) then no, they would probably not want to see 
the exploits released publicly.  The vendor would probably like to have the 
exploit themselves, but not have it made public.

One problem with anyone making private exploits is that they always seem to 
get leaked, no matter who it is.  I don't know if that is pro or con for 
releasing public exploit, but it's something to keep in mind if there is a 
concern about the exploit "getting out."

Naturally, if someone writes an exploit, they can do whatever they want 
with it.  I think there are several business models where it absolutely 
makes sense from a business perspective to not release exploits.  With 
yours, it may make sense to not release exploits.  For scanner vendors, it 
absolutely makes sense for them to not release exploits (to the public, for 
free, I mean.  Not all of them, anwyay.)

My main concern is that a climate not develop such that people who wish to 
release exploits cannot do so, because all the big guys who can stand up 
for themselves have quit doing so, and the little guys can be threatened 
back into the underground.

						BB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ