Penetration Testing mailing list archives
Re: Things to do before vulnerability disclosure
From: Jeremy Brown <0xjbrown41 () gmail com>
Date: Tue, 16 Jun 2009 14:31:57 -0400
Is that the same principle as speaking implies you know what your talking about? There are many other ways to find bugs, even finding them by accident. Reverse engineering is only one of them. To say that finding bugs in software implies the researcher disassembled the binary is ridiculous. On Tue, Jun 16, 2009 at 3:29 AM, Giuseppe Fuggiano<giuseppe.fuggiano () gmail com> wrote:
2009/6/16 Geoffrey J Gowey <gjgowey () gmail com>:Print out the note to them from a library, pick up note using gloves, put note in self sealing envelope (minus return address), put on self adhesive stamp, then mail note from a public box in another town. Or you could email them and find out the hard way how much of a sense of humor their corporate security department has (read: lawsuit).Does someone have been accused before to have found a bug? For example in the Windows XP EULA license there is the following point: 4. LIMITATIONS ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY. You may not reverse engineer, decompile, or disassemble the Software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. Finding a bug and writing an exploit could imply disassembly/debugging proprietary code. This possibly cause a violation of the software license. Notifying it to Microsoft, for example, could have a bad side effect... -- Giuseppe ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 15)
- Re: Things to do before vulnerability disclosure Geoffrey J Gowey (Jun 15)
- Re: Things to do before vulnerability disclosure Justin Ferguson (Jun 15)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 16)
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 16)
- Message not available
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 17)
- Re: Things to do before vulnerability disclosure Aarón Mizrachi (Jun 17)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 17)
- Re: Things to do before vulnerability disclosure Jeffrey Walton (Jun 18)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
- RE: Things to do before vulnerability disclosure Nick Vaernhoej (Jun 18)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 20)
- Re: Things to do before vulnerability disclosure Geoffrey J Gowey (Jun 15)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 17)