lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: guninski at guninski.com (Georgi Guninski)
Subject: [OT] Re: Quick Question

[sorry for the flame war, but this more of the faq]

hellNbak,

to start with, I don't remember any significant security contribution from you, 
am I wrong (at least google can't find it)?

hellNbak wrote:
> On Mon, 17 Mar 2003, Georgi Guninski wrote:
> 
> 
>>No special incentive. Hint: It is not for the money, it is not for the fame.
> 
> 
> I call BS on this one Georgi.
> 
> From; http://www.guninski.com/me.html
> 
> "Most of the the other consultants are using the result of my security
> research, so why don't you do business directly with the source?"
> 
> It is clearly a "promote the consulting" type thing.  Not that there is
> anything wrong with that.  Just be honest about it.
> 

I support my words that I don't do security work for the money.
Of course I have to do something for living.
Once again money is not sufficient incentive.

> 
>>There is no official norm as far as I know. The owner of the 0day has the
>>intellectual property over it and can do whatever he wants with it.
>>I personally have sympathy for open source projects and do my best the problem
>>to be fixed officially before I go public. First notify the software developer
>>in this case. This symapthy does not apply for commercial vendors in whose
>>licence agreements is written that the product does not fit for any purpose.
> 
> 
> There have been many accepted norms by *most* researchers and as you know
> Georgi, there is currently a draft disclosure guideline floating around
> not to mention RFPolicy.
> 
> http://www.vulnwatch.org/papers/draft-christey-wysopal-vuln-disclosure-00.txt
> 

The IETF just said "NO" to this.

> and
> 
> http://www.wiretrip.net/rfp/policy.html
> 

RFP can do whatever he wants with his 0days and I don't care.
But his writings do not apply to me.
btw, have not seen interesting stuff from RFP recently (don't have anything 
against him).

> Yes these vary a little and not everyone agrees with every part of each of
> them but the bottom line is, a responsible researcher would take the time
> to notify a vendor and give them each a set time to deal with things.  Not
> play favorites with whomever is paying the bills or whomever you happen to
> dislike this week.
> 
> More Disclosure papers and information is available at;
> 
> http://www.vulnwatch.org/disclosure.html
> 

 From the above url:
"There is no industry consensus on what constitutes best pratices for 
vulnerability disclosure"
So what?

Have you read this:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html
Free Hacker Manifest
People seem to support this, you know.


> 
>>Generally no. The only exception for me was Netscape - they had (probably also
>>have, check at their site) a bug bounty program, which basically means paying
>>for reproducible security bugs.
> 
> 
> Did they not have you on contract doing other security testing?  How much
> did you get for the IE vulns you disclosed with zero vendor cooperation?
> 
> 

I have not recieved anything about IE vulns.
Some IE vulns were not fixed for a lot of months - just check the discussion on 
bugtraq and ntbugtraq.
Also, if you use your 3l33t s34rching skills, you can find that in 98-99 
microsoft publicly thanked me for the exactly the same behavior.

Georgi Guninski
http://www.guninski.com

--
First they ignore you
Then they laugh at you
Then they fight you
Then you win
- -- Mahatma Gandhi--





Powered by blists - more mailing lists