Full Disclosure: Re: Where are you guys standing re: the (full) disclosure question?

Re: Where are you guys standing re: the (full) disclosure question?

From: Dieyu <dieyu () dieyu org>
Date: Sat, 14 Dec 2013 02:52:33 +0000

Q: 1. should I tell MS first?
A: Microsoft is just a big company - there are good guys(my good friend was
there), and there are bad guys(who think too much about money, etc). So,
it's up to you whether you email secure () ms  Another factor: it can take
months for a bug to be fixed(first MSRC checks it, then product team fixes
it, then release - all steps take a lot of time). Guninski "give them a few
seconds" - if you want to work with Microsoft, you got to be a little
patient.

Q: 2. being this is possibly my first bug as a researcher, will this get me
into trouble (legal or otherwise)?
A: No, publishing before fix will not get you into trouble. Guninski "if
they sue you" - they won't sue you(Guninski did it before on Microsoft
products, and he is fine).

Q: 3. will this make me a rock star?
A: Ah, this depends on the impact.

__________
http://offlinechromeinstaller.com/



On Fri, Dec 13, 2013 at 3:08 PM, Georgi Guninski <guninski () guninski com>wrote:

On Thu, Dec 12, 2013 at 10:02:55PM -0400, Pedro Luis Karrasquillo wrote:

Humans, Dwarves, Elves, Fairies and all free folk on this list:

Meli Kalikimaka.

I think I found a relatively small bug with Windows Server running DNS

with recursion turned off, that still allows the server to be used for DDOS
amplification attacks. There are a sizable number of these on the net, and
I do not think operators realize that the server is not totally silent with
recursion turned off.

I want to put my findings here on the list, as well as on my blog but I

am unsure if :


1. should I tell MS first?


if you ask me definitely no.
or at most give them a few seconds.

2. being this is possibly my first bug as a researcher, will this get me

into trouble (legal or otherwise)?

if they sue you, I suppose this will make you a star for some time.

IANAL, so take care.

3. will this make me a rock star?

I have details on the bug, as well as remediation steps. I would not say

I "discovered" it per se, as I found it while studying an attack on a
network I protect, but I do not see it documented anywhere either.


What say you, Wise List Readers?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Where are you guys standing re: the (full) disclosure question? Pedro Luis Karrasquillo (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure question? Georgi Guninski (Dec 13)
 - Re: Where are you guys standing re: the (full) disclosure question? Dieyu (Dec 14)
 - Re: Where are you guys standing re: the (full) disclosure question? Pedro Luis Karrasquillo (Dec 14)
 - Re: Where are you guys standing re: the (full) disclosure question? Microsoft Security Response Center (Dec 14)
 - Re: Where are you guys standing re: the (full) disclosure question? Jasper Kips (Dec 15)
- Re: Where are you guys standing re: the (full) disclosure question? silence_is_best (Dec 14)
- Re: Where are you guys standing re: the (full) disclosure question? Jasper Kips (Dec 14)