Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Rate Stratfor's Incident Response
From: Valdis.Kletnieks () vt edu
Date: Sat, 14 Jan 2012 03:09:00 -0500

On Fri, 13 Jan 2012 13:14:54 PST, Gage Bystrom said:

Exactly. People are mostly being ridiculous atm. If they told you about a
vuln and did not take advantage of it they are innocent. By all means you
have the right to investigate and make sure they didn't do anything else,
but if they didn't they are innocent.

So tell me... who pays for the investigation that makes sure you didn't do
anything else?

Remember that we're talking about people here - and no matter what you consider
"right" in this situation, some poor soul is going to end up saying "I really
wish you hadn't told me about that, because it's 4:45PM on Friday, and my
weekend just got shot all to heck".  For that matter, *you* would say the same
thing at 4:45PM on Friday (and if you wouldn't, you *really* need to get out
more. ;)

It would be like if someone found your wallet and saw your credit card, ssn
card(which you shouldn't carry with you), and your drivers license, and
then found you to give it back. If they didn't do anything with it they are
fine.

That would be the "I spotted a potential vuln on your website" case, which isn't
so bad.

What's a lot more troubling is the "and here's a secret document proving it"
case - at which point they *have* done something with it.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault