[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] xp sp3 remote bof [from FD digest 76:33]

To: SMiller@xxxxxxxxxx
Subject: Re: [Full-disclosure] xp sp3 remote bof [from FD digest 76:33]
From: Ray Jertop <seclists@xxxxxxxxxxxxxxxx>
Date: Sat, 18 Jun 2011 00:45:19 +1000

Hi,

I would think that the behaviour is slightly odd.

His first communication started out giving the impression that his intention 
was to responsibly disclose the issue
to the affected vendor but that he was simply unaware as to how to do so and 
would simply like instruction on the 
best method. Overall the tone was that of a responsible disclosure.

After some rather helpful information we now come full circle and its all about 
the "value" of the exploit, and yes I
understand that exploits are valuable to many for many reasons but in that case 
you should already know it and 
what kind of purpose such an exploit could have for you.

How about the value in helping the vendor to secure such an exploit? How about 
the value received from helping 
to close one more malicious avenue that while it may not have a huge and 
immediate effect helps in its own way?
It seems a character change once money enters the picture is all too quick 
these days.

Why the need to hide the obvious intent I wonder, worried about the response?

What do I know though. Im new here.

Regards,
Jay Porter

On 17/06/2011, at 11:11 PM, SMiller@xxxxxxxxxx wrote:

> 
> elfius <elfius@xxxxxxxxx> wrote: 
>> Thanks for the advice guys. I've received quite a few interesting offers 
>> from some rather shady sounding people (as well as public messages here), 
>> and I've begun to realise how much this is worth. So for the time >being 
>> anyway I think I'll keep it for a rainy day. Cheers again for the input. 
> So, evidently your purpose in posting here was to find out how best to market 
> the vuln you identified, not to investigate its disclosure. You could have 
> owned up to that in the first place. Do you not feel some slight 
> embarrassment in describing others as "shady 
> sounding"?_______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] xp sp3 remote bof [from FD digest 76:33]
  - From: -= Glowing Sex =-

References:
- Re: [Full-disclosure] xp sp3 remote bof [from FD digest 76:33]
  - From: SMiller

Prev by Date: [Full-disclosure] CFP: IEEE GLOBECOM 2011 - Smart Communication Protocols & Algorithms (SCPA 2011)
Next by Date: [Full-disclosure] Lutz
Previous by thread: Re: [Full-disclosure] xp sp3 remote bof [from FD digest 76:33]
Next by thread: Re: [Full-disclosure] xp sp3 remote bof [from FD digest 76:33]
Index(es):
- Date
- Thread