Full Disclosure mailing list archives

To anybody who's offended by my disclosure policy

From: "Berend-Jan Wever" <skylined () edup tudelft nl>
Date: Thu, 25 Nov 2004 17:51:58 +0100

I will try to explain this all once again, but only ONCE again:

MSIE IFRAME bufferoverflow:
I did not disclose the vulnerability: I wrote an analysis of a publicly known vulnerability. It was a warning that
there could be malicious people stealing your creditcard details and whatnot with a 0day exploit. Nobody seemed to
notice... Maybe the advisory was to technical, maybe the vendor didn't want bad publicity, I don't know. I figured it
was in everybody's interest to make the exploit public knowledge so everybody would take notice and could take
precautions. In that I succeeded. What did I get for all this ? Fame and attention.

MSIE nested array sort() loop Stack overflow exception:
People are expecting me to play by their rules but they do not offer me anything in return. I've had enough of that, so
I decided to release this without enough details. Instead of relying on me for information, you now have to rely on
your vendor. Let's see how long it takes them to come up with an analysis. Firefox and Opera just got cought in the
crossfire.

My disclosure policy:
Most vendors treat "hackers" like free beta-testers that they can put the blame on when publicity goes bad. Mozilla
does pay for remotely exploitable vulnerabilities. Fact of the matter is I could have released more IE 0day exploits if
I wanted to, but I've choosen to disclose them responsibly. That choice was made a lot easier by iDefense, who do pay
people for their time and knowledge. I have also found other vulnerabilities in Firefox, but I also choose not to
disclose them untill I've analysed them and reported them to the vendor.

So what do I get for all my time and work ?
- Do I get payed ? No.
- Do I get n00bs trying to flame me ? Yes.
- Do I get attention from people who do know what I am talking about and might want to hire me to work for them ? Yes.

Cheers,
SkyLined

PS. Recursive function call will cause stack overflow causing write exception in guard page on a push, no control over
registers: no exploit.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

FIREFOX flaws: nested array sort() loop Stack overflow exception Berend-Jan Wever (Nov 25)
- More Browser flaws on MACOSX: nested array sort() loop Stack overflow exception Marco Mella (Nov 25)
- Re: FIREFOX flaws: nested array sort() loop Stack overflow exception James Tait (Nov 25)
- Re: FIREFOX flaws: nested array sort() loop Stack overflow exception Gadi Evron (Nov 25)
  - To anybody who's offended by my disclosure policy Berend-Jan Wever (Nov 25)
    - Re: To anybody who's offended by my disclosure policy Gadi Evron (Nov 25)
    - Re: To anybody who's offended by my disclosure policy kf_lists (Nov 27)
    - Re: To anybody who's offended by my disclosure policy Gadi Evron (Nov 27)
    - Re: To anybody who's offended by my disclosure policy kf_lists (Nov 27)
    - Re: To anybody who's offended by my disclosure policy Gadi Evron (Nov 27)
    - Re: To anybody who's offended by my disclosure policy JxT (Nov 27)
    - Re: To anybody who's offended by my disclosure policy Gadi Evron (Nov 27)
  - Re: Re: FIREFOX flaws: nested array sort() loop Stack overflow exception Dragos Ruiu (Nov 25)
    - MSIE & FIREFOX flaws: "detailed" advisory and comments that you probably don't want to read anyway Berend-Jan Wever (Nov 26)
- Re: FIREFOX flaws: nested array sort() loop Stack overflow exception Gadi Evron (Nov 25)

(Thread continues...)