[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Things to do before vulnerability disclosure



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

... really? so everyone who believes in full disclosure is a
blackhat now? by your definition, even those who follow RFPolicy
are blackhats as well. your "ethics" are severely flawed, and are
malaligned with the philosophies that many security professionals
subscribe to.

to the original poster: if you independently discover a
vulnerability, its yours. do what you want with it.


- -----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of nrmaster
Sent: Tuesday, June 16, 2009 8:40 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Things to do before vulnerability disclosure


In stark contrast to what a black hat would do (publish or more
likely sell it on the black market), an ethical security expert
ought to try to notify the vendor so that a patch or fix can be
incorporated into the next hot fix and distributed to the public
before the details of the exploit are widely available. This sort
of approach also fortifies our posture as vulnerability researchers
rather than security bug searchers.

Obviously, any legal or regulatory obligations will depend on your
local laws and/or regulations.
Cheers

- --
View this message in context: http://www.nabble.com/Things-to-do-
before-vulnerability-disclosure-tp24044921p24057042.html
Sent from the Penetration Testing mailing list archive at
Nabble.com.

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAko38b0ACgkQacHgESW3wZoaFgP/bHnuOwIPS6UfiMxYgl/5fsP0RYFz
p4W7eYVLIZ09iHc8TQVroDRkVbUCnkzhGXpf6ABb2JOFaP4gmki5GmQ8X9NUCy4u8uzh
bP1qf3tEwfGttWIXFrscZ0iL0VGOrLWBOAS8KxTIYjceasWMXt4MU9mcmgPauNo3lZVS
kdkp+xg=
=5tG2
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/