mailing list archives
From: Sergio 'shadown' Alvarez <shadown () gmail com>
Date: Fri, 13 Jun 2008 11:16:44 +0200
It depends what the purpose of your hashes is.
Whenever I post hashes I always also post to what each hash belongs to.
My hashes always belong to a file that triggers a vulnerability or a PoC
exploit that I'm about to submit to a vendor, just in case the vendor
If the vendor communication goes well then there's a advisory after the
vendor fixes the problems, otherwise I have the elements to demonstrate
that the vendor fixes silently the problems without giving the proper
credits to the researcher that reported the problem.
The 'see i told you so' in my opinion is an act of coward that is
willing to take the credits of someone else without communicating
anything to anybody, the same thing when a hash is posted and not what
it is about, at least that's how I think about it.
Once 'sowhat' released an advisory of a vulnerability for one of the
hashes that I've posted in the past (I've even demo it at CCC Camp
2007), and I've never claimed it because he found it and he was able to
get in touch with the vendor. I wasn't able even to get an answer from
the vendor and of course I've never sent the file to them, what I did
was to congratulate sowhat for his finding and ask him how did he manage
to get the right contact.
That's how I handle this hashes.
Different mindset different approach.
On Fri, Jun 13, 2008 at 2:37 PM, I)ruid <druid () caughq org> wrote:
i'm yet to see anyone actually claim one of these posted hashes yet.
like in the "see i told you so" fashion. maybe i've missed it.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- (: I)ruid (Jun 13)
- Re: (: silky (Jun 13)
- Re: (: Robert Holgstad (Jun 13)
- Re: (: Sergio 'shadown' Alvarez (Jun 13)
- Re: (: KJK::Hyperion (Jun 13)