[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)
- From: Tavis Ormandy <taviso@xxxxxxxxxxxxx>
- Date: Tue, 23 Apr 2013 09:22:36 -0700
Valdis.Kletnieks@xxxxxx wrote:
> On Tue, 23 Apr 2013 17:51:55 +0300, Georgi Guninski said:
> > Completely disagree.
> >
> > IMHO nobody should bother negotiating with terrorist vendors.
> >
> > Q: What responsibility vendors have? A: Zero. Check their disclaimers.
>
> And disclaimer or no disclaimer, there's a lot of vendors who want to Do
> The Right Thing and fix their stuff to protect their users (if for no
> other reason than the possibility of lost customers if they ignore
> security issues too often).
>
> If you're a black hat, do whatever the heck you want.
>
> If you're a white hat, be responsible and at least try to engage the
> vendor. If you're worried about being stiffed for the credit for the
> find, write the advisory and post the MD5 hash somewhere before contacting
> the vendor. If they respond and work on the problem, the process works.
> If they blow you off, go blackhat and do whatever the heck you want. :)
>
> Now wasn't that easy? :)
Easy and nonsense, I really hope you don't think this is about credit.
Tavis.
--
-------------------------------------
taviso@xxxxxxxxxxxxx | pgp encrypted mail preferred
-------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/