Full Disclosure mailing list archives
[OT] Re: Quick Question
From: Georgi Guninski <guninski () guninski com>
Date: Mon, 17 Mar 2003 18:51:33 +0200
[Sorry for cross posting to the list, but this looks like a FAQ] Dear Mr. Kannan, Karthik Natarajan Kannan wrote:
Dear Mr. Guninski, I am a doctoral student at Carnegie Mellon University working on my
I am Georgi. Georgi Guninski.
thesis on Information Security trying to understand the industry structure and incentives. I realize that you are one of the prime people in unearthing bugs. I would greatly appreciate your responses for the following questions:
Sure, I will answer, but I would greatly appreciate the answer to a question by Pink Floyd at http://www.lyricsstyle.com/p/pinkfloyd/goodbyebluesky.html
"Mother, should I trust the government?" -- Pink Floyd
a) What is the incentive for firms like yours to unearth security bugs?
No special incentive. Hint: It is not for the money, it is not for the fame.
There is no official norm as far as I know. The owner of the 0day has the intellectual property over it and can do whatever he wants with it. I personally have sympathy for open source projects and do my best the problem to be fixed officially before I go public. First notify the software developer in this case. This symapthy does not apply for commercial vendors in whose licence agreements is written that the product does not fit for any purpose.b) What is the norm after unearthing the bug? Whom do you report it to?
c) Suppose, a bug has been unearthed, does the software vendor pay the security firms for unearthing the bugs?
Generally no. The only exception for me was Netscape - they had (probably also have, check at their site) a bug bounty program, which basically means paying for reproducible security bugs.
d) How do security firms like yours unearth bugs? Do you havespecialized teams which work on unearthing these bugs?
The general algorithm is with typing on the keyboard. Mouse engineering brought to the masses is not effective, I believe.
e) Are there security firms which talk to hacker community to unearthbugs?
I think you have the term "hacker" wrong. Check http://www.jargonfile.com/jargon/html/entry/hacker.html
f) What sort of tools do you use to unearth bugs? Would they be similar to what hackers use?
See the answer to e)For me the most interesting bugs were found without any tools, just my old brain. Anyway grep and flawfinder can help in some cases.
Looking forward to hearing from you.
Me too, for the Floyd stuff.
Thanks Karthik Karthik Kannan Carnegie Mellon University http://www.andrew.cmu.edu/~kkannan
Georgi Guninski http://www.guninski.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [OT] Re: Quick Question Georgi Guninski (Mar 17)
- Re: [OT] Re: Quick Question hellNbak (Mar 17)
- Re: [OT] Re: Quick Question Georgi Guninski (Mar 17)
- Re: [OT] Re: Quick Question hellNbak (Mar 17)
- Re: [OT] Re: Quick Question Georgi Guninski (Mar 17)
- Re: [OT] Re: Quick Question hellNbak (Mar 17)