lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <73D72DDA-0821-4FE1-B2CF-9452C1F9B837@aussievapers.com>
Date: Sat, 18 Jun 2011 00:45:19 +1000
From: Ray Jertop <seclists@...sievapers.com>
To: SMiller@...min.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: xp sp3 remote bof [from FD digest 76:33]

Hi,

I would think that the behaviour is slightly odd.

His first communication started out giving the impression that his intention was to responsibly disclose the issue
to the affected vendor but that he was simply unaware as to how to do so and would simply like instruction on the 
best method. Overall the tone was that of a responsible disclosure.

After some rather helpful information we now come full circle and its all about the "value" of the exploit, and yes I
understand that exploits are valuable to many for many reasons but in that case you should already know it and 
what kind of purpose such an exploit could have for you.

How about the value in helping the vendor to secure such an exploit? How about the value received from helping 
to close one more malicious avenue that while it may not have a huge and immediate effect helps in its own way?
It seems a character change once money enters the picture is all too quick these days.

Why the need to hide the obvious intent I wonder, worried about the response?

What do I know though. Im new here.

Regards,
Jay Porter

On 17/06/2011, at 11:11 PM, SMiller@...min.com wrote:

> 
> elfius <elfius@...il.com> wrote: 
>> Thanks for the advice guys. I've received quite a few interesting offers from some rather shady sounding people (as well as public messages here), and I've begun to realise how much this is worth. So for the time >being anyway I think I'll keep it for a rainy day. Cheers again for the input. 
> So, evidently your purpose in posting here was to find out how best to market the vuln you identified, not to investigate its disclosure. You could have owned up to that in the first place. Do you not feel some slight embarrassment in describing others as "shady sounding"?_______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ