lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090616192549.E58CEB8051@smtp.hushmail.com>
Date: Tue, 16 Jun 2009 12:25:49 -0700
From: "epixoip" <epixoip@...h.com>
To: pen-test@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Things to do before vulnerability disclosure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

... really? so everyone who believes in full disclosure is a
blackhat now? by your definition, even those who follow RFPolicy
are blackhats as well. your "ethics" are severely flawed, and are
malaligned with the philosophies that many security professionals
subscribe to.

to the original poster: if you independently discover a
vulnerability, its yours. do what you want with it.


- -----Original Message-----
From: listbounce@...urityfocus.com
[mailto:listbounce@...urityfocus.com] On Behalf Of nrmaster
Sent: Tuesday, June 16, 2009 8:40 AM
To: pen-test@...urityfocus.com
Subject: Re: Things to do before vulnerability disclosure


In stark contrast to what a black hat would do (publish or more
likely sell it on the black market), an ethical security expert
ought to try to notify the vendor so that a patch or fix can be
incorporated into the next hot fix and distributed to the public
before the details of the exploit are widely available. This sort
of approach also fortifies our posture as vulnerability researchers
rather than security bug searchers.

Obviously, any legal or regulatory obligations will depend on your
local laws and/or regulations.
Cheers

- --
View this message in context: http://www.nabble.com/Things-to-do-
before-vulnerability-disclosure-tp24044921p24057042.html
Sent from the Penetration Testing mailing list archive at
Nabble.com.

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAko38b0ACgkQacHgESW3wZoaFgP/bHnuOwIPS6UfiMxYgl/5fsP0RYFz
p4W7eYVLIZ09iHc8TQVroDRkVbUCnkzhGXpf6ABb2JOFaP4gmki5GmQ8X9NUCy4u8uzh
bP1qf3tEwfGttWIXFrscZ0iL0VGOrLWBOAS8KxTIYjceasWMXt4MU9mcmgPauNo3lZVS
kdkp+xg=
=5tG2
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ