On Fri, 13 Jan 2012 13:14:54 PST, Gage Bystrom said: > Exactly. People are mostly being ridiculous atm. If they told you about a > vuln and did not take advantage of it they are innocent. By all means you > have the right to investigate and make sure they didn't do anything else, > but if they didn't they are innocent. So tell me... who pays for the investigation that makes sure you didn't do anything else? Remember that we're talking about people here - and no matter what you consider "right" in this situation, some poor soul is going to end up saying "I really wish you hadn't told me about that, because it's 4:45PM on Friday, and my weekend just got shot all to heck". For that matter, *you* would say the same thing at 4:45PM on Friday (and if you wouldn't, you *really* need to get out more. ;) > It would be like if someone found your wallet and saw your credit card, ssn > card(which you shouldn't carry with you), and your drivers license, and > then found you to give it back. If they didn't do anything with it they are > fine. That would be the "I spotted a potential vuln on your website" case, which isn't so bad. What's a lot more troubling is the "and here's a secret document proving it" case - at which point they *have* done something with it.
Attachment:
pgpUQrjQqetct.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/