mailing list archives
Re: Rate Stratfor's Incident Response
From: Valdis.Kletnieks () vt edu
Date: Sat, 14 Jan 2012 03:09:00 -0500
On Fri, 13 Jan 2012 13:14:54 PST, Gage Bystrom said:
Exactly. People are mostly being ridiculous atm. If they told you about a
vuln and did not take advantage of it they are innocent. By all means you
have the right to investigate and make sure they didn't do anything else,
but if they didn't they are innocent.
So tell me... who pays for the investigation that makes sure you didn't do
Remember that we're talking about people here - and no matter what you consider
"right" in this situation, some poor soul is going to end up saying "I really
wish you hadn't told me about that, because it's 4:45PM on Friday, and my
weekend just got shot all to heck". For that matter, *you* would say the same
thing at 4:45PM on Friday (and if you wouldn't, you *really* need to get out
It would be like if someone found your wallet and saw your credit card, ssn
card(which you shouldn't carry with you), and your drivers license, and
then found you to give it back. If they didn't do anything with it they are
That would be the "I spotted a potential vuln on your website" case, which isn't
What's a lot more troubling is the "and here's a secret document proving it"
case - at which point they *have* done something with it.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/