POC is everything!<br><br><div><span class="gmail_quote">On 4/25/07, <b class="gmail_sendername">Jason Miller</b> <<a href="mailto:jammer128@gmail.com">jammer128@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
or you can have some fun and post everything about it, and email the<br>vendor 5 seconds before you post it....but thats not very nice..is it?<br>:(<br><br>On 4/25/07, Michael Holstein <<a href="mailto:michael.holstein@csuohio.edu">
michael.holstein@csuohio.edu</a>> wrote:<br>> > i'm just a new guy to this community...i was asking about the right<br>> > procedures that one should do when he/she discovers a vulnerability in and<br>> > application or operating system
<br>><br>> Generally, the most accepted procedure is to :<br>><br>> 1) notify the vendor, including the specific conditions (and/or code)<br>> required to invoke the exploit. Give then at least 30-60 days to chew on
<br>> it and come up with a fix.<br>><br>> 2) notify the community, but withhold specific details needed for your<br>> average point-and-click scriptkiddie to create an exploit (eg: name the<br>> program, function, etc. but don't provide specifics).
<br>><br>> 3) wait .. how long you wait is a subject of debate .. but most folks<br>> either give the vendor a fixed amount of time, either from the original<br>> notice (good), or from the time the vendor releases a patch (better).
<br>><br>> 4) release the vulnerability details publicly, including source code.<br>> The value of releasing the specifics is debatable, but it certainly<br>> helps community-supported projects like Nessus, and those of us that
<br>> can't cough up the tens-of-thousands for a "commercial" vuln-scan product.<br>><br>><br>> > also what is the right procedure to make in order to publish a new hacking<br>> > technique to that it's know by the name of the publisher
<br>><br>> Generally (and with the exception of Microsoft), most vendors will give<br>> you credit for a discovery. Most folks publish with a LGPL-ish license<br>> that both requires attribution and restricts closed-source commercial use.
<br>><br>> If you publish to FD, and sign with your PGP key, it'll be hard for a<br>> vendor to claim later that they came up with it on their own.<br>><br>> ..<br>><br>> The main thing is to recognize that many in the community are smart
<br>> enough to figure out where the problem is based on minimal details<br>> (function, type of exploit, etc) without having the exact details (for<br>> example, we can set a killbit on an ActiveX object without needing to
<br>> know exactly what's wrong with it).<br>><br>> You want to help the software (or hardware) manufacturer fix the problem<br>> before you "tell the world" exactly what's wrong, because you want to at
<br>> least make the bar high enough that script-kiddies can't just<br>> incorporate your code into their latest "bot".<br>><br>> If the manufacturer ignores your legitimate attempts to inform them
<br>> about a problem, or stalls perpetually, then it's an accepted practice<br>> to go ahead and embarrass them by releasing the exploit after a<br>> reasonable length of time.<br>><br>> It's this "embarrassment" that keeps folks honest.
<br>><br>> My $a { ($a = 1 * .02); }<br>><br>> Cheers,<br>><br>> Michael Holstein CISSP GCIA<br>> Cleveland State University<br>><br>> _______________________________________________<br>> Full-Disclosure - We believe in it.
<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/
</a><br>><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br><a href="http://www.goldwatches.com/watches.asp?Brand=39">http://www.goldwatches.com/watches.asp?Brand=39
</a><br><a href="http://www.wazoozle.com">http://www.wazoozle.com</a>