Message-ID: <20131213151202.GC2588@sivokote.iziade.m$>
Date: Fri, 13 Dec 2013 17:12:02 +0200
From: Georgi Guninski <guninski@...inski.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Where are you guys standing re: the (full)
 disclosure

On Fri, Dec 13, 2013 at 10:06:48AM -0500, Mikhail A. Utin wrote:
> Answers:
> 1. Whether you are right and there is a bug, lrt the vendor (M$) know; that is ethical. They will decide if to consider your finding as a bug. Your following steps depend on their opinion on the finding.
> 2. If you keep it for yourself - no problems. If you disclose on Internet before informing M$, there is certain risk, but first of all it is not ethical. If you sell it as an exploit, and it will be widely used as 0-day, then it might be a hunt for your head with some bounty (you are not relly breaking a law as I wrote below, but angry government may find something suitable for you) . So, you need to consider risks and how to hide your identity. If you found bug not breaking MS code and not accessing to a computer illegally, you do not break any formal law. Breaking MS code may be considered as a violation of their property rights, but MS guys should be really angry to pursue such case.
> As you describe, you did not do anything illegal and releasing the finding is up to you, again - ethics.
> 3. Will make you a star, but not shining brings more risks.
> 
> Shortly - inform M$ first and wait what they said. If they do not agree - you are free to go.
> 


I completely disagree with this answer.

YOU turn the other cheek, not bug hunters.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists