| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <mpro.mlpwrk02xpxw006xj.taviso@cmpxchg8b.com> Date: Tue, 23 Apr 2013 10:04:32 -0700 From: Tavis Ormandy <taviso@...xchg8b.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Valdis.Kletnieks@...edu wrote: > On Tue, 23 Apr 2013 09:22:36 -0700, Tavis Ormandy said: > > > Easy and nonsense, I really hope you don't think this is about credit. > > I mention the credit issue only because some people *have* gotten peeved > when they contact a vendor and the vendor issues an advisory that doesn't > give them a shout-out. So for at least *some* researchers, the lack of > vendor notification *is* about the credits. > Sure, but how does full disclosure solve that? Most vendors refuse to credit researchers who don't play by their rules (which is almost universally tell them and then keep quiet until they give you permission to speak) - so if you're primarily driven by vendor credit, you should not choose full disclosure. Trivializing full disclosure as something people do for "shout outs" then calling it "blackhat" is unfair and inaccurate, but we're used to this from the Scott Culpists ;-) Tavis. -- ------------------------------------- taviso@...xchg8b.com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists