Bugtraq mailing list archives
Re: Submission
From: hellnbak () HUSHMAIL COM
Date: Tue, 28 Nov 2000 08:52:41 -0700
Thanks for your reply Georgi.
I rarely reply to "lame shit" as defined by the anonymous author but since he offends me publicly I must reply.
Wasn't attempting to offend anyone, for that I do apologize.
1) Regarding my relations with AOL: Your conspiracy theory is wrong. I own a software company in Bulgaria. My company has a contract with AOL for finding bugs in Mozilla/Netscape 6. AOL pay my company only for finding bugs in Mozilla/Netscape and for nothing more. AOL does not require from me to find bugs in any other product or service. I have posted several vulnerabilities in Microsoft's product long before I had any relations with AOL.
Why do you choose to not publically disclose the Netscape problems? Why are you allowing Netscape/AOL to prove that deep pockets and 7 figure pay offs can keep people quiet? It is pretty convieniant for Netscape/AOL isn't it. Hire you, you keep quiet about them and seem to speak up about MS.
3) Do you think I am so exceptional to be the only one in the world to find these vulnerabilities? I believe I am not.
You are correct, while I do believe you have a talent, I do not believe that you are the only one.
4) Would you prefer not to post anything to Bugtraq and on my web site? Would you feel safer then?
Of course not. I would feel safer however, if you would at least show some cooperation and help fix the problems you find. Your last advisory, #30, gave the vendor, in this case MS again, 2 days notice. Why are you unable to show a little cooperation for the vendor? I know you and a lot of people generally hate microsoft, but why let the industry suffer because of it. The longer your findings go unfixed, the more danger there is to all of us. I agree that taking months to fix something is way to long, but I disagree with your precieved lack of cooperation.
5) I think the security state of most of the software industry right now is extremely bad, reaching nightmare. But the problem are not people who discover the vulnerabilites but the people who ship the products/services with vulnerabilities.
I think it is extremely bad but slowly improving. I agree that the problem is not the bug finders, the responsible ones anyways, the problem is the market in general. Consumers and shareholders squeeze the vendors to rush products out the door. These same comsumers then bitch when problems are found.
6) Regarding vendor response times: on my site there are vulnerabilities which are not fixed for 4 months and still work.
I agree, 4 months is way too long for a bug to go unfixed. But why not cooperate with the vendor, why not answer their questions and help them develop a fix. I remember a post a while back from you that said, "Why should I help the vendor". My question to you is, why not help the vendor? You said yourself, that they have to get their acts together why not assist in that process like the rest of us are?
Current thread:
- Submission hellnbak (Nov 28)
- Re: Submission Ryan Russell (Nov 29)
- Re: Submission Georgi Guninski (Nov 29)
- Re: Submission Geo. (Nov 29)
- Re: Submission Gunther Birznieks (Nov 30)
- <Possible follow-ups>
- Re: Submission hellnbak (Nov 29)
- Re: Submission Georgi Guninski (Nov 30)
- Re: Submission Robert G. Ferrell (Nov 29)
- Re: Submission Scott Blake (Nov 30)
- Re: Submission aarhus (Nov 29)
- Re: Submission Rune Kristian Viken (Nov 30)
- Re: Submission Geoffrey Moon (Nov 30)
- Re: submission rain forest puppy (Nov 30)
- Re: Submission Elias Levy (Nov 30)