lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <425D505F.9030507@sdf.lonestar.org>
Date: Wed Apr 13 18:01:36 2005
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: How to Report a Security Vulnerability to
	Microsoft

Steve Friedl wrote:

>On Wed, Apr 13, 2005 at 10:54:34AM -0400, bkfsec wrote:
>  
>
>>It doesn't matter how much honey is poured into people's ears (or smoke 
>>blown up their asses, if you will), it's the proof that's in the pudding 
>>that counts, and the pudding is sour.
>>    
>>
>
>Even if you decide, for the sake of discussion, that Microsoft sucks,
>there is still a good reason to work with MSFT on disclosure: the users.
>
>  
>
I agree with you.  I wasn't implying that people shouldn't work with 
MSFT on disclosures, rather that their attitude had not changed nearly 
as much as some people seem to think it has.

There's also a big difference between should and must.  Security 
researchers should work with vendors to get solutions out responsibly, 
including Microsoft, but they should not be restricted from publishing 
their findings if a vendor just wants to sweep things under a rug.

             -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ