lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: security at updegrove.net (Rick Updegrove (security))
Subject: Epic Games threatens to sue security researchers

----- Original Message -----
From: "Georgi Guninski" <guninski@...inski.com>
To: "Thor Larholm" <thor@...x.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Tuesday, February 11, 2003 1:54 PM
Subject: Re: [Full-Disclosure] Epic Games threatens to sue security
researchers

> I am not aware of such industry standards. The proposed RFC was not
> approved by the IETF?

I have heard a lot of "loose talk" about lawyers getting involved in regards
to "responsible handling" of security advisories.  I would like to take this
opportunity to remind the money grubbing software vendors that such actions
will only further "piss off" the people who are only trying to help make the
Internet a "kinder, gentler place".  As a consumer of these products I ask
you to not piss them off any further.  Soon, nobody will inform you first.
I suspect that they will simply use stolen yahoo, hotmail and AOL accounts
to send advisories and exploit code directly to
full-disclosure@...ts.netsys.com bypassing your arrogant and apathetic
security@...software.com addresses altogether.

Speaking of "responsible handling" of security advisories:

I think 1 day (24 hours) before an "informative reply - what they plan to do
about it" from a vendor (a human being, not an autoresponder) is a
*responsibility* of the software vendor.

Then, a week (168 hours) before posting the information to
full-disclosure@...ts.netsys.com is fair*.

    *Unless the vendor and author work something else out.

Moreover, PivX Solutions self-imposed 90 days (2,160 hours) was *extremely
generous*.

I have to tell you that I am a little puzzled, and somewhat miffed at PivX
for not telling us avid UT players sooner!  It really bothers me that for 90
days I have been "wide open" and Epic Games did absolutely nothing about it?

Hey Mark Rein, I want a refund and an apology!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ