Full Disclosure mailing list archives
Re: Hotmail & Passport (.NET Accounts)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 10 May 2003 14:57:28 +1300
"adf--at--Code511.com" <adf () code511 com> replied to Darren Reeed's reply:
>> Is it me or ms never credit vulnerabilities according tohttp://www.microsoft.com/security/passport_issue.asp "a report was published detailing a security vulnerability(...)"? No more details or credit.And they should because...? If you ask me, doing this for "fame and fortune" is really against what i would call traditional hacker ethic.That was just a simple question. AFAIK they DO for some vunerabilities: do you remember IIS issue (MS99-047) discovered by eeye years ago? Well the Acknowledgments display credit. Same for most of the latest security bultins as displayed http://www.microsoft.com/technet/security/: MS03-015 etc... The question is not fame or whatever you call it, just a question about selective Acknowledgments from ms.
Whether you like it or not, MS has a policy governing acknowledgement of vulnerability discoverers/reporters: http://www.microsoft.com/technet/security/bulletin/policy.asp Admittedly that is titled "Acknowledgment Policy for Microsoft Security Bulletins" and the page you ask about is not a security bulletin, but don't you think it likely or reasonable that MS may apply the same acknowledgement standards to ad hoc security announcements as it does to its official security bulletins? As it seems that nothing close to Microsoft's expected standard of cooperation between discoverer and its security teams occurred in this case, it should not be surprising that MS did not put the discoverer(s) on the acknowledgement pedestal. MS does not (for easily understood reasons) want to encourage the non-observance of its preferred vulnerability reporting, resolution and release procedures by acknowledging people who hijack or derail that process, regardless of the motivations for that action. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Hotmail & Passport (.NET Accounts) Vulnerability Muhammad Faisal Rauf Danka (May 07)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Michael J McCafferty (May 08)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability adf--at--Code511.com (May 08)
- Re: Hotmail & Passport (.NET Accounts) Darren Reed (May 09)
- Re: Hotmail & Passport (.NET Accounts) Ron DuFresne (May 09)
- Re: Hotmail & Passport (.NET Accounts) adf--at--Code511.com (May 09)
- Re: Hotmail & Passport (.NET Accounts) Nick FitzGerald (May 09)
- Re: Hotmail & Passport (.NET Accounts) Georgi Guninski (May 10)
- Re: Hotmail & Passport (.NET Accounts) Nick FitzGerald (May 10)
- Re: Hotmail & Passport (.NET Accounts) Mark J Cox (May 12)
- RE: Hotmail & Passport (.NET Accounts) Ed Carp (May 12)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability adf--at--Code511.com (May 08)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Michael J McCafferty (May 08)
- <Possible follow-ups>
- RE: Hotmail & Passport (.NET Accounts) Vulnerability Christopher F. Herot (May 07)
- RE: Hotmail & Passport (.NET Accounts) Vulnerability Marc Slemko (May 07)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Byrne Ghavalas (May 08)
- Re: Hotmail & Passport (.NET Accounts) Vulnerability Suryanto (May 07)
- RE: Hotmail & Passport (.NET Accounts) Vulnerability Marc Slemko (May 07)