On Thu, 16 Jun 2005 10:37:55 +0200, metesi said: > If you have, or you think you could get within few weeks, a > undisclosed/unpublished vulnerability (that have to stay private) just > contact us. Even if the 0-day *is* used for "ethical pen-tests", you can't guarantee that the use of said exploit will be able to "have to stay private". There's always the chance that an alert sysadmin will spot the use of the 0-day and the ensuing investigation exposes it to the world. The only way to guarantee that it stays private is: 1) Don't use it. There's always the chance that it will be detected. 2) Don't give a copy to "trusted friends". There's always the chance that your trusted friend shouldn't have been trusted. 3) Don't tell anybody you have a 0-day. There's always the chance some black hat will use *his* 0-day to hack your box and steal yours. And even then, it's not 100% guaranteed....
Attachment:
pgplQRivwTYiC.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/