[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Where are you guys standing re: the (full) disclosure
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Where are you guys standing re: the (full) disclosure
- From: Georgi Guninski <guninski@xxxxxxxxxxxx>
- Date: Fri, 13 Dec 2013 17:12:02 +0200
On Fri, Dec 13, 2013 at 10:06:48AM -0500, Mikhail A. Utin wrote:
> Answers:
> 1. Whether you are right and there is a bug, lrt the vendor (M$) know; that
> is ethical. They will decide if to consider your finding as a bug. Your
> following steps depend on their opinion on the finding.
> 2. If you keep it for yourself - no problems. If you disclose on Internet
> before informing M$, there is certain risk, but first of all it is not
> ethical. If you sell it as an exploit, and it will be widely used as 0-day,
> then it might be a hunt for your head with some bounty (you are not relly
> breaking a law as I wrote below, but angry government may find something
> suitable for you) . So, you need to consider risks and how to hide your
> identity. If you found bug not breaking MS code and not accessing to a
> computer illegally, you do not break any formal law. Breaking MS code may be
> considered as a violation of their property rights, but MS guys should be
> really angry to pursue such case.
> As you describe, you did not do anything illegal and releasing the finding is
> up to you, again - ethics.
> 3. Will make you a star, but not shining brings more risks.
>
> Shortly - inform M$ first and wait what they said. If they do not agree - you
> are free to go.
>
I completely disagree with this answer.
YOU turn the other cheek, not bug hunters.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/