lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: guninski at guninski.com (Georgi Guninski) Subject: [OT] Re: Quick Question [sorry for the flame war, but this more of the faq] hellNbak, to start with, I don't remember any significant security contribution from you, am I wrong (at least google can't find it)? hellNbak wrote: > On Mon, 17 Mar 2003, Georgi Guninski wrote: > > >>No special incentive. Hint: It is not for the money, it is not for the fame. > > > I call BS on this one Georgi. > > From; http://www.guninski.com/me.html > > "Most of the the other consultants are using the result of my security > research, so why don't you do business directly with the source?" > > It is clearly a "promote the consulting" type thing. Not that there is > anything wrong with that. Just be honest about it. > I support my words that I don't do security work for the money. Of course I have to do something for living. Once again money is not sufficient incentive. > >>There is no official norm as far as I know. The owner of the 0day has the >>intellectual property over it and can do whatever he wants with it. >>I personally have sympathy for open source projects and do my best the problem >>to be fixed officially before I go public. First notify the software developer >>in this case. This symapthy does not apply for commercial vendors in whose >>licence agreements is written that the product does not fit for any purpose. > > > There have been many accepted norms by *most* researchers and as you know > Georgi, there is currently a draft disclosure guideline floating around > not to mention RFPolicy. > > http://www.vulnwatch.org/papers/draft-christey-wysopal-vuln-disclosure-00.txt > The IETF just said "NO" to this. > and > > http://www.wiretrip.net/rfp/policy.html > RFP can do whatever he wants with his 0days and I don't care. But his writings do not apply to me. btw, have not seen interesting stuff from RFP recently (don't have anything against him). > Yes these vary a little and not everyone agrees with every part of each of > them but the bottom line is, a responsible researcher would take the time > to notify a vendor and give them each a set time to deal with things. Not > play favorites with whomever is paying the bills or whomever you happen to > dislike this week. > > More Disclosure papers and information is available at; > > http://www.vulnwatch.org/disclosure.html > From the above url: "There is no industry consensus on what constitutes best pratices for vulnerability disclosure" So what? Have you read this: http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html Free Hacker Manifest People seem to support this, you know. > >>Generally no. The only exception for me was Netscape - they had (probably also >>have, check at their site) a bug bounty program, which basically means paying >>for reproducible security bugs. > > > Did they not have you on contract doing other security testing? How much > did you get for the IE vulns you disclosed with zero vendor cooperation? > > I have not recieved anything about IE vulns. Some IE vulns were not fixed for a lot of months - just check the discussion on bugtraq and ntbugtraq. Also, if you use your 3l33t s34rching skills, you can find that in 98-99 microsoft publicly thanked me for the exactly the same behavior. Georgi Guninski http://www.guninski.com -- First they ignore you Then they laugh at you Then they fight you Then you win - -- Mahatma Gandhi--
Powered by blists - more mailing lists