Re: Unresponsive Vendor

[Matt Burnett <marukka () mac com>]

 True I don¹t have much of a track record, my of my exp has been with
systems intergration/management, network management, 1 security audit, and
programming (consoleconductor.com). I would consider interning but I don¹t
have money to pay next months rent, let alone the cost to move to wherever
those companies are located.

On 11/20/03 4:21 PM, "Peter Schawacker" <peter () schawacker com> wrote:

> Matt,
>
> This matter might be a better candidate for securityfocus-jobs than
> securit-basics.  To reiterate when I think you'r saying you want to work for
> a company that needs professional bug hunters but you lack a documented
> track record.  Maybe you could "intern" with the sort of company that the
> "Unresponsive Vendor"-types would listen to -- like and Bindview, ISS or
> Symantec.  The next time you find a juicy bug, make a partner of one of
> those companies.  All you have to do is find out who's in charge of the
> security vendor's vulnerability research group, which shouldn't take more
> than a call to the company's tech support line.  Come to think of it, if you
> post a message to vuln-dev or full disclosure saying that you have a bug to
> report but that you need a partner with muscle to help with it for FREE,
> you'll get the right folks to respond.  The deal is simple.  XYZ security
> gets first crack at your discovery and in turn they give you credit as a
> partner.  If you play your cards right maybe XYZ pays you, money or beer or
> something.  Your findings are valuable to somebody.  I think you know who
> those somebody's are.  There are even companies that pay cash for bugs,
> aren't there?...
>
> Good posts.  Best of luck.
>
> Peter
>
> Peter Schawacker, CISSP
> peter () schawacker com
>
>
> ----- Original Message -----
> From: "Matt Burnett" <marukka () mac com>
> To: <c_brauckmiller () LEK COM>
> Cc: <security-basics () securityfocus com>
> Sent: Thursday, November 20, 2003 9:25 AM
> Subject: Re: Unresponsive Vendor
>
>
> Im sorry if you feel that I am being immature, the main reason I would like
> credit would be to add it to my resume. I haven't worked in 4.5 months and I
> could use all the help I can get. Potential employers ive talked to seem to
> like stuff like this. Also I was irked by it because, for other security
> flaws they have given the notifier credit. If they never gave anyone credit
> I could understand that, but giving credit to people from well known orgs
> and not giving credit to just some guy (like me) doesn¹t make much sense.
>
> For the person who gave the broken window analogy. I normally wouldn¹t care
> if it was just some random piece of software. However I use this software on
> a daily basis. And when I do get another job im sure im going to have to
> support it there and worry about the security flaw.
>
> On 11/20/03 11:00 AM, "c_brauckmiller () LEK COM" <c_brauckmiller () LEK COM>
> wrote:
>
> > I have a couple of comments on this.
> >
> > First, and please don't take this the wrong way, let me state that I think
> > that
> > its a bit imature to complain about not getting credit for discovering a
> > bug/vuln in a software package.  I understand that you'd like credit for
> your
> > discovery, but I think your better served just releasing the fact that you
> > have
> > discovered it to the appropriate groups such as BugTraq.  That should be
> > credit
> > enough.  I wouldn't count on many vendors patting you on the back publicly
> and
> > saying "Yeah we screwed up and this guy found it."
> >
> > Having said that, if you haven't heard from the vendor in a month with
> even a
> > status update...I say screw'em...release the exploit.  If they don't have
> the
> > common courtesy to let you know, "Hey..we are working on it." then they
> are
> > not
> > a very good company to begin with and they should be shown that the
> security
> > community won't stand for it.  After they get nailed a couple times,
> hopefully
> > they will reconsider their methods.
> >
> > My 2 cents worth.
> >
> > Craig
> >
> >
> >
> >
> > Matt Burnett <marukka () mac com> on 11/19/2003 02:02:57 PM
> >
> > To:   security-basics () securityfocus com
> > cc:    (bcc: Craig Brauckmiller/LEK)
> >
> > Subject:  Unresponsive Vendor
> >
> >
> >
> > I have a moral question for all of you. I have notified a major software
> > company in the past about security issues with their software. I did email
> > them with enough details to replicate the issue. However they never
> > responded to my email, and a couple years later they fixed the issue and
> did
> > not give credit were due. I'm sure other researchers contacted them with a
> > similar but different way to exploit the flaw, but no one at all is given
> > credit. Now I have a local d0s for their product and have contacted them
> > again, this time via phone. After notifying them they gave me a case
> number
> > and said a engineer would be in contact with me in approximately a week.
> I'm
> > guessing that something similar will happen and this issue wont get fixed
> > for a while, and once again I wont get credit. I'm just wondering what
> would
> > be a fair time frame before releasing a exploit, and what I could/should
> do
> > about receiving credit. I have looked at some papers online about when you
> > should release a exploit but none i've read yet give any guidance on what
> > you should do if the vendor is dragging their feet.
> >
> >
> > --------------------------------------------------------------------------
> -
> > --------------------------------------------------------------------------
> --
> >
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------