| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: blsonne at rogers.com (Byron L. Sonne) Subject: Yahoo! Store Security Advisory > They don't know how to have a human discussion about serious flaws you > send them. They are so self centred > They make me want to act like a script kiddie and be malicious to the > Yahoo! network, but of course I know thats a irresponsible thing to > do. This is precisely why I say 'fuck it' and believe that if/when you find something, publish it immediately. Don't bother giving notice to the vendors, whoever it is. Unless of course they're good people or you have an agreement. My personal rule is 'respect by default': everyone gets the benefit of the doubt (except Microsoft) but as soon as they step over the line, they've probably blown it forever. This includes them taking their sweet time getting back, being rude, nothing but form letters, etc. I'm deadly serious; sometimes (i.e. too frequently) people need a fierce bitch-smacking to get their shit in order. Maybe when they finally realize and appreciate that people are going out of their way to look for issues in their product(s) or service(s) they'll smarten up. (Yeah right, but we can dream). I have a few ideas about things that could be done to drive the point home more effectively, and it basically centres around hitting them where it hurts. Where's that? The wallet! So: 1. Publish the vuln/sploit/hole/whatever to media friendly lists 2. Make sure the info makes it to their competitors 3. Make sure the info makes it to their investors 4. Make sure the info makes it to their business partners 5. Make sure the info gets to their most relevant user communities When it comes to investors, business partners, competitors, etc. it would really help to do your research and know who to contact inside the organization. Don't just send it to some email posted on their website (though do that too) call up the switchboard and socially engineer your way into finding out who the people who make stuff happen is. All of this would be helped by well written, intelligent documentation of the issues at hand. Don't speak like a lame scr1p7 |<1dd13 or stuff like that. Make it as easy as possible for people who are receiving the information to verify that is (a) true and (b) exploit the vulnerability. Include POC code. Write it so that even people who use Macs and WindowsXP can figure out how to wreak havoc with it, ie. give them a binary. Perhaps I'll call this 'Ultimate Disclosure'? Kick them in the nuts, and keep kicking, until they learn to run when they see you coming. Regards, Byron
Powered by blists - more mailing lists