mailing list archives
Re: Rate Stratfor's Incident Response
From: Sanguinarious Rose <SanguineRose () OccultusTerra com>
Date: Sat, 14 Jan 2012 08:33:13 -0700
I've been watching this chat for a while and I have to say a lot of
views here does not impress me and in fact why I will never report a
vulnerability if I found one. Why would I want to even risk getting
arrested and/or FBI trouble from observing a security flaw? My policy
on finding them is to quietly just move a long. I'm sure I am not the
only one that does this or come to such a conclusion of is it even
worth the trouble.
I like how the assumptions are always this person is horrible and bad
for have founding a security flaw, he must not be trusted and treated
like a criminal. Why would he even be reporting it to begin with if
his goal is abusing the security flaw? After all the audacity of this
dangerous cyber criminal took the time to tell you about the flaw in
an email and should be punished for their indiscretion of reporting
The analogies of a house is a very very bad one. Do you expect
thousands of people to be walking around your house akin to viewing
the website? A more appropriate one would be a public store with doors
happen to be unlocked to completely open.
"If it's not broken don't fix it" is the classical saying of many
individuals and sadly even more apply it to security. Even reporting
the flaw in some cases results not in fixing it but legal troubles for
the person reporting it. You would think they might want to fix it
after being informed about it right? After all if it works why fix it?
Why not silence that bad apple that found the flaw and no one else
will know kinda like daddy's little secret.
In conclusion I don't care to report anything and why is perfectly
illustrated by some of the replies to this discussion and the above is
Flaming Welcome :)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/