lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <010303171433340.8899-100000@www.nmrc.org>
From: hellnbak at nmrc.org (hellNbak)
Subject: [OT] Re: Quick Question

On Mon, 17 Mar 2003, Georgi Guninski wrote:

> No special incentive. Hint: It is not for the money, it is not for the fame.

I call BS on this one Georgi.

From; http://www.guninski.com/me.html

"Most of the the other consultants are using the result of my security
research, so why don't you do business directly with the source?"

It is clearly a "promote the consulting" type thing.  Not that there is
anything wrong with that.  Just be honest about it.

> There is no official norm as far as I know. The owner of the 0day has the
> intellectual property over it and can do whatever he wants with it.
> I personally have sympathy for open source projects and do my best the problem
> to be fixed officially before I go public. First notify the software developer
> in this case. This symapthy does not apply for commercial vendors in whose
> licence agreements is written that the product does not fit for any purpose.

There have been many accepted norms by *most* researchers and as you know
Georgi, there is currently a draft disclosure guideline floating around
not to mention RFPolicy.

http://www.vulnwatch.org/papers/draft-christey-wysopal-vuln-disclosure-00.txt

and

http://www.wiretrip.net/rfp/policy.html

Yes these vary a little and not everyone agrees with every part of each of
them but the bottom line is, a responsible researcher would take the time
to notify a vendor and give them each a set time to deal with things.  Not
play favorites with whomever is paying the bills or whomever you happen to
dislike this week.

More Disclosure papers and information is available at;

http://www.vulnwatch.org/disclosure.html

> Generally no. The only exception for me was Netscape - they had (probably also
> have, check at their site) a bug bounty program, which basically means paying
> for reproducible security bugs.

Did they not have you on contract doing other security testing?  How much
did you get for the IE vulns you disclosed with zero vendor cooperation?


-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ