Re: [Full-disclosure] Where are you guys standing re: the (full) disclosure

[Georgi Guninski <guninski@xxxxxxxxxxxx>]

On Fri, Dec 13, 2013 at 10:06:48AM -0500, Mikhail A. Utin wrote:
> Answers:
> 1. Whether you are right and there is a bug, lrt the vendor (M$) know; that 
> is ethical. They will decide if to consider your finding as a bug. Your 
> following steps depend on their opinion on the finding.
> 2. If you keep it for yourself - no problems. If you disclose on Internet 
> before informing M$, there is certain risk, but first of all it is not 
> ethical. If you sell it as an exploit, and it will be widely used as 0-day, 
> then it might be a hunt for your head with some bounty (you are not relly 
> breaking a law as I wrote below, but angry government may find something 
> suitable for you) . So, you need to consider risks and how to hide your 
> identity. If you found bug not breaking MS code and not accessing to a 
> computer illegally, you do not break any formal law. Breaking MS code may be 
> considered as a violation of their property rights, but MS guys should be 
> really angry to pursue such case.
> As you describe, you did not do anything illegal and releasing the finding is 
> up to you, again - ethics.
> 3. Will make you a star, but not shining brings more risks.
> 
> Shortly - inform M$ first and wait what they said. If they do not agree - you 
> are free to go.
> 


I completely disagree with this answer.

YOU turn the other cheek, not bug hunters.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/