Full Disclosure mailing list archives

Re: Hotmail & Passport (.NET Accounts)

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 10 May 2003 14:57:28 +1300

"adf--at--Code511.com" <adf () code511 com> replied to Darren Reeed's 
reply:

 >> Is it me or ms never credit vulnerabilities according to

http://www.microsoft.com/security/passport_issue.asp  "a report was
published detailing a security vulnerability(...)"? No more details or
credit.


And they should because...?  If you ask me, doing this for "fame and
fortune" is really against what i would call traditional hacker ethic.

That was just a simple question. AFAIK they DO for some vunerabilities: do
you remember IIS issue (MS99-047) discovered by eeye years ago? Well the
Acknowledgments display credit. Same for most of the latest security bultins
as displayed http://www.microsoft.com/technet/security/: MS03-015 etc...

The question is not fame or whatever you call it, just a question about
selective Acknowledgments from ms.


Whether you like it or not, MS has a policy governing acknowledgement 
of vulnerability discoverers/reporters:

   http://www.microsoft.com/technet/security/bulletin/policy.asp

Admittedly that is titled "Acknowledgment Policy for Microsoft 
Security Bulletins" and the page you ask about is not a security 
bulletin, but don't you think it likely or reasonable that MS may 
apply the same acknowledgement standards to ad hoc security 
announcements as it does to its official security bulletins?

As it seems that nothing close to Microsoft's expected standard of
cooperation between discoverer and its security teams occurred in
this case, it should not be surprising that MS did not put the
discoverer(s) on the acknowledgement pedestal.  MS does not (for
easily understood reasons) want to encourage the non-observance of
its preferred vulnerability reporting, resolution and release
procedures by acknowledging people who hijack or derail that
process, regardless of the motivations for that action.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Hotmail & Passport (.NET Accounts) Vulnerability Muhammad Faisal Rauf Danka (May 07)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Michael J McCafferty (May 08)
  - Re: Hotmail & Passport (.NET Accounts) Vulnerability adf--at--Code511.com (May 08)
    - Re: Hotmail & Passport (.NET Accounts) Darren Reed (May 09)
    - Re: Hotmail & Passport (.NET Accounts) Ron DuFresne (May 09)
    - Re: Hotmail & Passport (.NET Accounts) adf--at--Code511.com (May 09)
    - Re: Hotmail & Passport (.NET Accounts) Nick FitzGerald (May 09)
    - Re: Hotmail & Passport (.NET Accounts) Georgi Guninski (May 10)
    - Re: Hotmail & Passport (.NET Accounts) Nick FitzGerald (May 10)
    - Re: Hotmail & Passport (.NET Accounts) Mark J Cox (May 12)
    - RE: Hotmail & Passport (.NET Accounts) Ed Carp (May 12)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Wayne Chang (Pacific Northwest Software) (May 08)
- PowerLink™ WAN Aggregator - Vunerability morning_wood (May 09)
- <Possible follow-ups>
- RE: Hotmail & Passport (.NET Accounts) Vulnerability Christopher F. Herot (May 07)
  - RE: Hotmail & Passport (.NET Accounts) Vulnerability Marc Slemko (May 07)
    - Re: Hotmail & Passport (.NET Accounts) Vulnerability Byrne Ghavalas (May 08)
  - Re: Hotmail & Passport (.NET Accounts) Vulnerability Suryanto (May 07)

(Thread continues...)