Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: To anybody who's offended by my disclosure policy
From: Gadi Evron <ge () linuxbox org>
Date: Thu, 25 Nov 2004 19:23:27 +0200

Berend-Jan Wever wrote:
I will try to explain this all once again, but only ONCE again:

If you repeat it often enough, maybe I'll get it.

MSIE IFRAME bufferoverflow:
I did not disclose the vulnerability: I wrote an analysis of a publicly known vulnerability. It was a warning that there could be 
malicious people stealing your creditcard details and whatnot with a 0day exploit. Nobody seemed to notice... Maybe the advisory was 
to technical, maybe the vendor didn't want bad publicity, I don't know. I figured it was in everybody's interest to 
make the exploit public knowledge so everybody would take notice and could take precautions. In that I succeeded. What did I get for 
all this ? Fame and attention.

So you want fame and attention. I am glad you admit it and I appreciate you for it. Most will cover it with BS.

But who has to die for your fame and attention?

MSIE nested array sort() loop Stack overflow exception:
People are expecting me to play by their rules but they do not offer me anything in return.

You just said you want fame and attention - so what do you care if you get paid? Plus.. nobody is MAKING you do ANYTHING.

I've had enough of that, so I decided to release this without enough details. Instead of relying on me for information, you 
now have to rely on your vendor. Let's see how long it takes them to come up with an analysis. Firefox and Opera just got 
cought in the crossfire.

Ahh, so although I sympathize and understanbd how vendors can really suck and not give credit and/or inform of fixing a vulnerability - it is part of the business. Instead of accepting that or releasing information appropriately (according to any standards), you decided to get upset, kick some dust and say: "NOW YOU'LL PAY!".

My disclosure policy:
Most vendors treat "hackers" like free beta-testers that they can put the blame on when publicity goes bad. Mozilla does pay for 
remotely exploitable vulnerabilities. Fact of the matter is I could have released more IE 0day exploits if I wanted to, but I've 
choosen to disclose them responsibly. That choice was made a lot easier by iDefense, who do pay people for their time and knowledge. I have 
also found other vulnerabilities in Firefox, but I also choose not to disclose them untill I've analysed them and reported them to the 

So, basically - if you don't get paid (IE case), you don't bother to disclose responsibly? Why bother researching the vulnerability and waste your time in the first place?

So what do I get for all my time and work ?
- Do I get payed ? No.

I wonder why. The security industry may be about both very smart and very stupid people, but it is also about integrity. You blatantly state you don't have any.

- Do I get n00bs trying to flame me ? Yes.

It is not about flaming, it is about attention. You wanted attention - you got it. Nobody promised what kind of attention you'd get.

Do things differently, and you'll get a different kind of attention.

- Do I get attention from people who do know what I am talking about and might want to hire me to work for them ? Yes.

Good luck. No sarcasm intended.

PS. Recursive function call will cause stack overflow causing write exception in guard page on a push, no control over 
registers: no exploit.



Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]