Re: requesting info

["James Matthews" <nytrokiss () gmail com>]

POC is everything!

On 4/25/07, Jason Miller <jammer128 () gmail com> wrote:
> or you can have some fun and post everything about it, and email the
> vendor 5 seconds before you post it....but thats not very nice..is it?
> :(
>
> On 4/25/07, Michael Holstein <michael.holstein () csuohio edu> wrote:
> > > i'm just a new guy to this community...i was asking about the right
> > > procedures that one should do when he/she discovers a vulnerability in
> and
> > > application or operating system
> >
> > Generally, the most accepted procedure is to :
> >
> > 1) notify the vendor, including the specific conditions (and/or code)
> > required to invoke the exploit. Give then at least 30-60 days to chew on
> > it and come up with a fix.
> >
> > 2) notify the community, but withhold specific details needed for your
> > average point-and-click scriptkiddie to create an exploit (eg: name the
> > program, function, etc. but don't provide specifics).
> >
> > 3) wait .. how long you wait is a subject of debate .. but most folks
> > either give the vendor a fixed amount of time, either from the original
> > notice (good), or from the time the vendor releases a patch (better).
> >
> > 4) release the vulnerability details publicly, including source code.
> > The value of releasing the specifics is debatable, but it certainly
> > helps community-supported projects like Nessus, and those of us that
> > can't cough up the tens-of-thousands for a "commercial" vuln-scan
> product.
> >
> >
> > > also what is the right procedure to make in order to publish a new
> hacking
> > > technique to that it's know by the name of the publisher
> >
> > Generally (and with the exception of Microsoft), most vendors will give
> > you credit for a discovery. Most folks publish with a LGPL-ish license
> > that both requires attribution and restricts closed-source commercial
> use.
> >
> > If you publish to FD, and sign with your PGP key, it'll be hard for a
> > vendor to claim later that they came up with it on their own.
> >
> > ..
> >
> > The main thing is to recognize that many in the community are smart
> > enough to figure out where the problem is based on minimal details
> > (function, type of exploit, etc) without having the exact details (for
> > example, we can set a killbit on an ActiveX object without needing to
> > know exactly what's wrong with it).
> >
> > You want to help the software (or hardware) manufacturer fix the problem
> > before you "tell the world" exactly what's wrong, because you want to at
> > least make the bar high enough that script-kiddies can't just
> > incorporate your code into their latest "bot".
> >
> > If the manufacturer ignores your legitimate attempts to inform them
> > about a problem, or stalls perpetually, then it's an accepted practice
> > to go ahead and embarrass them by releasing the exploit after a
> > reasonable length of time.
> >
> > It's this "embarrassment" that keeps folks honest.
> >
> > My $a { ($a = 1 * .02); }
> >
> > Cheers,
> >
> > Michael Holstein CISSP GCIA
> > Cleveland State University
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



--
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/