lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <72A2DB25-64F9-44D7-9EC5-1C9DFDD38BC8@gmail.com>
Date: Thu, 29 Apr 2010 09:26:58 +0200
From: Sergio 'shadown' Alvarez <shadown@...il.com>
To: Rob Fuller <jd.mubix@...il.com>
Cc: "ML: full-disclosure" <full-disclosure@...ts.grok.org.uk>,
	"ML: NoVA Hackers" <novahackers@...glegroups.com>
Subject: Re: Vuln Disclosure summarized (TTBOMA)

Rob,

The reason why different options exist is because people have the  
freedom of choice, and depending on their way of thinking they do.

Some people want to get paid for their findings through ZDI or  
iDefense, others prefer the credits only by publishing advisories  
following or not an RFP. I use to launch advisories in the past, now  
I'm with the 'No More Free Bugs'.

Some people prefer to watch the vulnerabilities get fixed, while  
others prefer to create weaponized exploits to sell to governments  
cyber warfare and cybercrime divisions, or to someone else.

As you won't succeed making politicians agree among them in their way  
of thinking, you'll also fail trying to do the same among us.

Cheers,
    sergio


On Apr 29, 2010, at 5:06 AM, Rob Fuller wrote:

> I have an admittedly limited view of the exploit dev world. However,
> from what I've seen devs have very few options: (Please correct me if
> I'm wrong)
>
> "Responsible Disclosure" =>
>
> - Direct Contact => depending on the size of the vendor and their view
> on security, this could result in anything from a simple thanks, a
> reward, to a court hearing.
>
> - Exploit Broker => possibly sell, possibly not, depends on the
> broker. The vuln could die on the table or stolen due to too much
> information being given during negotiations. This route has the same
> financial risk as direct contact, but a lot less risk of getting sued.
>
> - ZDI (or other vuln clearing house) => "instant" cash, but admittedly
> less than an Exploit Broker could possible get based on the financial
> risk to ZDI. Close to zero risk of court time (they may come after you
> for selling the exploit). And a lot less financial risk since (IIRC)
> they pay up front. But then the vulns go to also undisclosed parties,
> potentially the highest bidder which is probably not the vendor.
>
> - "other" secretive groups who share vulns for different reasons...
>
> - Just to friends => No cash, no judicial risk, but you do risk them
> stealing/selling your exploit.
>
> "Full Disclosure"
>
> - Posting it to the web for all to see/user => Possible court time,
> but the definite upside is the vendor is forced to react. A very quick
> way to make enemies.
>
> - Releasing at a conference => Probable court time.
>
> "No Disclosure"
>
> - Keeping it to yourself => Working under the assumption that your the
> only one that has found that same bug is still semi relevant due to
> the incredibly small size of the exploit dev community. However, as
> Dave said, they'll be toasting to their sleeping dead 0days some day.
>
> "No More Free Bugs"
>
> - My stance on this is split, while I think people should get paid for
> their work, I relate this movement to mowing someone's lawn and then
> ringing their doorbell and asking for money. However I'm sure Robert
> Graham's punch in the face metaphor also works.
>
> //
>
> Like, I have stated above, I am far and away a newbie to the vuln
> disclosure world and this debate has been going on since before I
> owned my own computer, but with the brilliant minds working at it, why
> doesn't anyone offer up a solid solution to it?
>
> My solution? Create a standard, something that we all abide by. I know
> as hackers we rebel against such things but in the interest of getting
> better security out there (yes, that's what we are here for right?....
> right?) we should should really work together on this. What sounds
> right?
>
> I mean, what is the right way to approach someone who's lawn you've
> mowed for the work you have done? Maybe free for open source projects,
> and a price based on exploitability and market share of the affected
> product?
>
>
> For reference:
>
> Vuln Trading Markets and You by Michal Zalewski (lcamtuf):
> => http://lcamtuf.blogspot.com/2010/04/vulnerability-trading-markets-and-you.html
>
> Vuln Disclosure is Rude by Robert Graham:
> => http://erratasec.blogspot.com/2010/04/vuln-disclosure-is-rude.html
>
> No More Free Bugs movement by Charlie Miller, Alex Sotirov and Dino  
> Dai Zovi:
> => http://trailofbits.com/2009/03/22/no-more-free-bugs/
>
> Dailydave Post by Dave Aitel:
> => http://lists.immunitysec.com/pipermail/dailydave/2010-April/006100.html
>
>
> --
> Rob Fuller | Mubix
> Room362.com | Hak5.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ