Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[OT] Re: Quick Question
From: Georgi Guninski <guninski () guninski com>
Date: Mon, 17 Mar 2003 18:51:33 +0200

[Sorry for cross posting to the list, but this looks like a FAQ]

Dear Mr. Kannan,

Karthik Natarajan Kannan wrote:
Dear Mr. Guninski,

I am a doctoral student at Carnegie Mellon University working on my

I am Georgi. Georgi Guninski.

thesis on Information Security trying to understand the industry
structure and incentives.  I realize that you are one of the prime
people in unearthing bugs. I would greatly appreciate your responses for
the following questions:

Sure, I will answer, but I would greatly appreciate the answer to a question by Pink Floyd at http://www.lyricsstyle.com/p/pinkfloyd/goodbyebluesky.html
"Mother, should I trust the government?" -- Pink Floyd

a) What is the incentive for firms like yours to unearth security bugs?

No special incentive. Hint: It is not for the money, it is not for the fame.

b) What is the norm after unearthing the bug?  Whom do you report it to?

There is no official norm as far as I know. The owner of the 0day has the intellectual property over it and can do whatever he wants with it. I personally have sympathy for open source projects and do my best the problem to be fixed officially before I go public. First notify the software developer in this case. This symapthy does not apply for commercial vendors in whose licence agreements is written that the product does not fit for any purpose.

c) Suppose, a bug has been unearthed, does the software vendor pay the
security firms for unearthing the bugs?

Generally no. The only exception for me was Netscape - they had (probably also have, check at their site) a bug bounty program, which basically means paying for reproducible security bugs.

d) How do security firms like yours unearth bugs?  Do you have
specialized teams which work on unearthing these bugs?

The general algorithm is with typing on the keyboard. Mouse engineering brought to the masses is not effective, I believe.

e) Are there security firms which talk to hacker community to unearth

I think you have the term "hacker" wrong.
Check http://www.jargonfile.com/jargon/html/entry/hacker.html

f) What sort of tools do you use to unearth bugs?  Would they be similar
to what hackers use?

See the answer to e)
For me the most interesting bugs were found without any tools, just my old brain. Anyway grep and flawfinder can help in some cases.

Looking forward to hearing from you.

Me too, for the Floyd stuff.


Karthik Kannan
Carnegie Mellon University

Georgi Guninski

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]