mailing list archives
Re: [OT] Re: Quick Question
From: hellNbak <hellnbak () nmrc org>
Date: Mon, 17 Mar 2003 14:40:20 -0600 (CST)
On Mon, 17 Mar 2003, Georgi Guninski wrote:
No special incentive. Hint: It is not for the money, it is not for the fame.
I call BS on this one Georgi.
"Most of the the other consultants are using the result of my security
research, so why don't you do business directly with the source?"
It is clearly a "promote the consulting" type thing. Not that there is
anything wrong with that. Just be honest about it.
There is no official norm as far as I know. The owner of the 0day has the
intellectual property over it and can do whatever he wants with it.
I personally have sympathy for open source projects and do my best the problem
to be fixed officially before I go public. First notify the software developer
in this case. This symapthy does not apply for commercial vendors in whose
licence agreements is written that the product does not fit for any purpose.
There have been many accepted norms by *most* researchers and as you know
Georgi, there is currently a draft disclosure guideline floating around
not to mention RFPolicy.
Yes these vary a little and not everyone agrees with every part of each of
them but the bottom line is, a responsible researcher would take the time
to notify a vendor and give them each a set time to deal with things. Not
play favorites with whomever is paying the bills or whomever you happen to
dislike this week.
More Disclosure papers and information is available at;
Generally no. The only exception for me was Netscape - they had (probably also
have, check at their site) a bug bounty program, which basically means paying
for reproducible security bugs.
Did they not have you on contract doing other security testing? How much
did you get for the IE vulns you disclosed with zero vendor cooperation?
"I don't intend to offend, I offend with my intent"
hellNbak () nmrc org
Full-Disclosure - We believe in it.