Dailydave mailing list archives
Re: Hyenas of the Security Industry
From: Marsh Ray <marsh () extendedsubset com>
Date: Mon, 21 Jun 2010 13:23:20 -0500
There's likely more to this story than meets the eye, but in an important sense that doesn't matter. The take-away here for vulnerability researchers is that it's not a good idea to initiate a discussion with MSRC unless you intend to simply hand it all over and promise to keep quiet. If you attempt to negotiate with MSRC and can't reach an agreement, their retaliation may go so far as to bring the heat down on your daytime employer through the industry press. That leaves the options for the finder of a serious MS bug: 1. Do nothing and let MS customers remain vulnerable. 2. Drop it as a 0-day on Full-D. 3. Sell it privately such that MS will be informed through a third party in an orderly way. 4. Sell it privately to those with unknown motives. 5. Disclose fully and unconditionally to MSRC and promise to stay quiet in exchange for seeing your name in 10 point Arial at the bottom of the security bulletin when they eventually find the resources to ship a fix. Again, I'm not saying this is necessarily the right conclusion based on what went on behind the scenes. But the perception of the discoverer of the next serious MS bug is being formed right now by observable events. Perhaps MS still has a chance to correct this perception? - Marsh On 6/17/2010 5:01 PM, Brad Spengler wrote:
By now, most on this list and elsewhere have read from various news sources the "controversy" regarding Tavis Ormandy's recent full-disclosure of a vulnerability in older versions of Microsoft Windows.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Hyenas of the Security Industry Brad Spengler (Jun 17)
- Re: Hyenas of the Security Industry Marsh Ray (Jun 21)
- <Possible follow-ups>
- Re: Hyenas of the Security Industry dislosure (Jun 19)
- Re: Hyenas of the Security Industry Tavis Ormandy (Jun 19)
- Re: Hyenas of the Security Industry dave (Jun 24)
- Re: Hyenas of the Security Industry Tavis Ormandy (Jun 19)