Full Disclosure mailing list archives
Re: requesting info
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Wed, 25 Apr 2007 10:08:06 -0400
i'm just a new guy to this community...i was asking about the right procedures that one should do when he/she discovers a vulnerability in and application or operating system
Generally, the most accepted procedure is to : 1) notify the vendor, including the specific conditions (and/or code) required to invoke the exploit. Give then at least 30-60 days to chew on it and come up with a fix. 2) notify the community, but withhold specific details needed for your average point-and-click scriptkiddie to create an exploit (eg: name the program, function, etc. but don't provide specifics). 3) wait .. how long you wait is a subject of debate .. but most folks either give the vendor a fixed amount of time, either from the original notice (good), or from the time the vendor releases a patch (better). 4) release the vulnerability details publicly, including source code. The value of releasing the specifics is debatable, but it certainly helps community-supported projects like Nessus, and those of us that can't cough up the tens-of-thousands for a "commercial" vuln-scan product.
also what is the right procedure to make in order to publish a new hacking technique to that it's know by the name of the publisher
Generally (and with the exception of Microsoft), most vendors will give you credit for a discovery. Most folks publish with a LGPL-ish license that both requires attribution and restricts closed-source commercial use. If you publish to FD, and sign with your PGP key, it'll be hard for a vendor to claim later that they came up with it on their own. .. The main thing is to recognize that many in the community are smart enough to figure out where the problem is based on minimal details (function, type of exploit, etc) without having the exact details (for example, we can set a killbit on an ActiveX object without needing to know exactly what's wrong with it). You want to help the software (or hardware) manufacturer fix the problem before you "tell the world" exactly what's wrong, because you want to at least make the bar high enough that script-kiddies can't just incorporate your code into their latest "bot". If the manufacturer ignores your legitimate attempts to inform them about a problem, or stalls perpetually, then it's an accepted practice to go ahead and embarrass them by releasing the exploit after a reasonable length of time. It's this "embarrassment" that keeps folks honest. My $a { ($a = 1 * .02); } Cheers, Michael Holstein CISSP GCIA Cleveland State University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- requesting info n n (Apr 25)
- Re: requesting info Tim (Apr 25)
- <Possible follow-ups>
- requesting info n n (Apr 25)
- Re: requesting info Paul Sebastian Ziegler (Apr 25)
- Re: requesting info Michael Holstein (Apr 25)
- Re: requesting info Jason Miller (Apr 25)
- Re: requesting info James Matthews (Apr 25)