Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [OT] Re: Quick Question
From: Georgi Guninski <guninski () guninski com>
Date: Tue, 18 Mar 2003 01:16:47 +0200

[sorry for the flame war, but this more of the faq]

hellNbak,

to start with, I don't remember any significant security contribution from you, am I wrong (at least google can't find it)?

hellNbak wrote:
On Mon, 17 Mar 2003, Georgi Guninski wrote:


No special incentive. Hint: It is not for the money, it is not for the fame.


I call BS on this one Georgi.

From; http://www.guninski.com/me.html

"Most of the the other consultants are using the result of my security
research, so why don't you do business directly with the source?"

It is clearly a "promote the consulting" type thing.  Not that there is
anything wrong with that.  Just be honest about it.


I support my words that I don't do security work for the money.
Of course I have to do something for living.
Once again money is not sufficient incentive.


There is no official norm as far as I know. The owner of the 0day has the
intellectual property over it and can do whatever he wants with it.
I personally have sympathy for open source projects and do my best the problem
to be fixed officially before I go public. First notify the software developer
in this case. This symapthy does not apply for commercial vendors in whose
licence agreements is written that the product does not fit for any purpose.


There have been many accepted norms by *most* researchers and as you know
Georgi, there is currently a draft disclosure guideline floating around
not to mention RFPolicy.

http://www.vulnwatch.org/papers/draft-christey-wysopal-vuln-disclosure-00.txt


The IETF just said "NO" to this.

and

http://www.wiretrip.net/rfp/policy.html


RFP can do whatever he wants with his 0days and I don't care.
But his writings do not apply to me.
btw, have not seen interesting stuff from RFP recently (don't have anything against him).

Yes these vary a little and not everyone agrees with every part of each of
them but the bottom line is, a responsible researcher would take the time
to notify a vendor and give them each a set time to deal with things.  Not
play favorites with whomever is paying the bills or whomever you happen to
dislike this week.

More Disclosure papers and information is available at;

http://www.vulnwatch.org/disclosure.html


From the above url:
"There is no industry consensus on what constitutes best pratices for vulnerability disclosure"
So what?

Have you read this:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html
Free Hacker Manifest
People seem to support this, you know.



Generally no. The only exception for me was Netscape - they had (probably also
have, check at their site) a bug bounty program, which basically means paying
for reproducible security bugs.


Did they not have you on contract doing other security testing?  How much
did you get for the IE vulns you disclosed with zero vendor cooperation?



I have not recieved anything about IE vulns.
Some IE vulns were not fixed for a lot of months - just check the discussion on bugtraq and ntbugtraq. Also, if you use your 3l33t s34rching skills, you can find that in 98-99 microsoft publicly thanked me for the exactly the same behavior.

Georgi Guninski
http://www.guninski.com

--
First they ignore you
Then they laugh at you
Then they fight you
Then you win
- -- Mahatma Gandhi--




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]