Re: [OT] Re: Quick Question

[Georgi Guninski <guninski () guninski com>]

[sorry for the flame war, but this more of the faq]

hellNbak,

to start with, I don't remember any significant security contribution from you, 
am I wrong (at least google can't find it)?

hellNbak wrote:
> On Mon, 17 Mar 2003, Georgi Guninski wrote:
>
>
> > No special incentive. Hint: It is not for the money, it is not for the fame.
>
>
> I call BS on this one Georgi.
>
> From; http://www.guninski.com/me.html
>
> "Most of the the other consultants are using the result of my security
> research, so why don't you do business directly with the source?"
>
> It is clearly a "promote the consulting" type thing.  Not that there is
> anything wrong with that.  Just be honest about it.

I support my words that I don't do security work for the money.
Of course I have to do something for living.
Once again money is not sufficient incentive.

> > There is no official norm as far as I know. The owner of the 0day has the
> > intellectual property over it and can do whatever he wants with it.
> > I personally have sympathy for open source projects and do my best the problem
> > to be fixed officially before I go public. First notify the software developer
> > in this case. This symapthy does not apply for commercial vendors in whose
> > licence agreements is written that the product does not fit for any purpose.
>
>
> There have been many accepted norms by *most* researchers and as you know
> Georgi, there is currently a draft disclosure guideline floating around
> not to mention RFPolicy.
>
> http://www.vulnwatch.org/papers/draft-christey-wysopal-vuln-disclosure-00.txt

The IETF just said "NO" to this.

> and
>
> http://www.wiretrip.net/rfp/policy.html

RFP can do whatever he wants with his 0days and I don't care.
But his writings do not apply to me.
btw, have not seen interesting stuff from RFP recently (don't have anything 
against him).

> Yes these vary a little and not everyone agrees with every part of each of
> them but the bottom line is, a responsible researcher would take the time
> to notify a vendor and give them each a set time to deal with things.  Not
> play favorites with whomever is paying the bills or whomever you happen to
> dislike this week.
>
> More Disclosure papers and information is available at;
>
> http://www.vulnwatch.org/disclosure.html

From the above url:
"There is no industry consensus on what constitutes best pratices for 
vulnerability disclosure"
So what?

Have you read this:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/000822.html
Free Hacker Manifest
People seem to support this, you know.


> > Generally no. The only exception for me was Netscape - they had (probably also
> > have, check at their site) a bug bounty program, which basically means paying
> > for reproducible security bugs.
>
>
> Did they not have you on contract doing other security testing?  How much
> did you get for the IE vulns you disclosed with zero vendor cooperation?

I have not recieved anything about IE vulns.
Some IE vulns were not fixed for a lot of months - just check the discussion on 
bugtraq and ntbugtraq.
Also, if you use your 3l33t s34rching skills, you can find that in 98-99 
microsoft publicly thanked me for the exactly the same behavior.

Georgi Guninski
http://www.guninski.com

--
First they ignore you
Then they laugh at you
Then they fight you
Then you win
- -- Mahatma Gandhi--




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html