[Full-disclosure] Things to do before vulnerability disclosure
epixoip at hush.com
Tue Jun 16 20:25:49 BST 2009
-----BEGIN PGP SIGNED MESSAGE-----
... really? so everyone who believes in full disclosure is a
blackhat now? by your definition, even those who follow RFPolicy
are blackhats as well. your "ethics" are severely flawed, and are
malaligned with the philosophies that many security professionals
to the original poster: if you independently discover a
vulnerability, its yours. do what you want with it.
- -----Original Message-----
From: listbounce at securityfocus.com
[mailto:listbounce at securityfocus.com] On Behalf Of nrmaster
Sent: Tuesday, June 16, 2009 8:40 AM
To: pen-test at securityfocus.com
Subject: Re: Things to do before vulnerability disclosure
In stark contrast to what a black hat would do (publish or more
likely sell it on the black market), an ethical security expert
ought to try to notify the vendor so that a patch or fix can be
incorporated into the next hot fix and distributed to the public
before the details of the exploit are widely available. This sort
of approach also fortifies our posture as vulnerability researchers
rather than security bug searchers.
Obviously, any legal or regulatory obligations will depend on your
local laws and/or regulations.
View this message in context: http://www.nabble.com/Things-to-do-
Sent from the Penetration Testing mailing list archive at
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
-----END PGP SIGNATURE-----
Full-Disclosure is hosted and sponsored by Secunia.