Re: Hyenas of the Security Industry

[Marsh Ray <marsh () extendedsubset com>]

There's likely more to this story than meets the eye, but in an
important sense that doesn't matter.

The take-away here for vulnerability researchers is that it's not a good
idea to initiate a discussion with MSRC unless you intend to simply hand
it all over and promise to keep quiet. If you attempt to negotiate with
MSRC and can't reach an agreement, their retaliation may go so far as to
bring the heat down on your daytime employer through the industry press.

That leaves the options for the finder of a serious MS bug:

1. Do nothing and let MS customers remain vulnerable.

2. Drop it as a 0-day on Full-D.

3. Sell it privately such that MS will be informed through a third party
in an orderly way.

4. Sell it privately to those with unknown motives.

5. Disclose fully and unconditionally to MSRC and promise to stay quiet
in exchange for seeing your name in 10 point Arial at the bottom of the
security bulletin when they eventually find the resources to ship a fix.

Again, I'm not saying this is necessarily the right conclusion based on
what went on behind the scenes. But the perception of the discoverer of
the next serious MS bug is being formed right now by observable events.

Perhaps MS still has a chance to correct this perception?

- Marsh


On 6/17/2010 5:01 PM, Brad Spengler wrote:
> By now, most on this list and elsewhere have read from various news 
> sources the "controversy" regarding Tavis Ormandy's recent 
> full-disclosure of a vulnerability in older versions of Microsoft 
> Windows.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave