lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <52AB27A5.1020506@baribault.net>
Date: Fri, 13 Dec 2013 10:28:37 -0500
From: Gary Baribault <gary@...ibault.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Where are you guys standing re: the (full)
 disclosure

Of course everyone has their opinion and is allowed to have one, mine is
more similar to Mikhail's, warn Microsoft, they may take a couple of
days to answer. If they ask for little time to evaluate, it's up to you.
If they ask for unreasonable time, and keep in mind they only patch
monthly, then it's up to you if you want to disclose, but I would warn
them of the date you will be disclosing.

>From the little you disclosed it sounds like they will consider it a low
priority and request a long delay in the disclosure.

Do you know if Bind reacts the same? There a MANY more Bind DNS servers
on the web than Microsoft ones.

Gary B


On 12/13/2013 10:12 AM, Georgi Guninski wrote:
> On Fri, Dec 13, 2013 at 10:06:48AM -0500, Mikhail A. Utin wrote:
>> Answers:
>> 1. Whether you are right and there is a bug, lrt the vendor (M$) know; that is ethical. They will decide if to consider your finding as a bug. Your following steps depend on their opinion on the finding.
>> 2. If you keep it for yourself - no problems. If you disclose on Internet before informing M$, there is certain risk, but first of all it is not ethical. If you sell it as an exploit, and it will be widely used as 0-day, then it might be a hunt for your head with some bounty (you are not relly breaking a law as I wrote below, but angry government may find something suitable for you) . So, you need to consider risks and how to hide your identity. If you found bug not breaking MS code and not accessing to a computer illegally, you do not break any formal law. Breaking MS code may be considered as a violation of their property rights, but MS guys should be really angry to pursue such case.
>> As you describe, you did not do anything illegal and releasing the finding is up to you, again - ethics.
>> 3. Will make you a star, but not shining brings more risks.
>>
>> Shortly - inform M$ first and wait what they said. If they do not agree - you are free to go.
>>
>
> I completely disagree with this answer.
>
> YOU turn the other cheek, not bug hunters.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ