lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH-PCH7ZSeOs0Mdm015Nsok+qQf62U8QXsTRSq2tcZ8rcu+hoA@mail.gmail.com>
Date: Sat, 14 Jan 2012 20:32:04 +0100
From: Ferenc Kovacs <tyra3l@...il.com>
To: Sanguinarious Rose <SanguineRose@...ultusterra.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Rate Stratfor's Incident Response

On Sat, Jan 14, 2012 at 4:33 PM, Sanguinarious Rose <
SanguineRose@...ultusterra.com> wrote:

> I've been watching this chat for a while


you didn't watched properly.
nobody said that you shouldn't report vulnerabilities.
we discussed whether would it help or not if one would hire the kiddies
owning their sites.
and we discussed why is it bad if you report the vulnerability and back it
up with the proof that you compromised that said system.

I always report the vulns that I stumble upon (from my own email and such)
and while I'm doing this in good faith, I would never dare to actively
exploit that vuln for better proof, because if they sue me, they would win.
So I try to keep it that way, that I cannot be held responsible, because I
didn't broke any law.
I also think that for a full penetration testing, one shouldn't act without
prior agreement with the owner and having that written down.
To go back to the irl analogy: even if I'm doing it in good faith, so that
I would report the owner or fix the lock myself, I shouldn't try to open
every door and window on a "random" house, nor should I take a photo of his
belongings that I can prove that I was there.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ