Full Disclosure mailing list archives
Re: Rate Stratfor's Incident Response
From: Valdis.Kletnieks () vt edu
Date: Sat, 14 Jan 2012 03:09:00 -0500
On Fri, 13 Jan 2012 13:14:54 PST, Gage Bystrom said:
Exactly. People are mostly being ridiculous atm. If they told you about a vuln and did not take advantage of it they are innocent. By all means you have the right to investigate and make sure they didn't do anything else, but if they didn't they are innocent.
So tell me... who pays for the investigation that makes sure you didn't do anything else? Remember that we're talking about people here - and no matter what you consider "right" in this situation, some poor soul is going to end up saying "I really wish you hadn't told me about that, because it's 4:45PM on Friday, and my weekend just got shot all to heck". For that matter, *you* would say the same thing at 4:45PM on Friday (and if you wouldn't, you *really* need to get out more. ;)
It would be like if someone found your wallet and saw your credit card, ssn card(which you shouldn't carry with you), and your drivers license, and then found you to give it back. If they didn't do anything with it they are fine.
That would be the "I spotted a potential vuln on your website" case, which isn't so bad. What's a lot more troubling is the "and here's a secret document proving it" case - at which point they *have* done something with it.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Rate Stratfor's Incident Response, (continued)
- Re: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 13)
- Re: Rate Stratfor's Incident Response Giles Coochey (Jan 13)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
- Re: Rate Stratfor's Incident Response J. von Balzac (Jan 13)
- Re: Rate Stratfor's Incident Response Michael Schmidt (Jan 13)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 13)
- Re: Rate Stratfor's Incident Response Gage Bystrom (Jan 13)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 14)
- Re: Rate Stratfor's Incident Response Sanguinarious Rose (Jan 14)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 14)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 14)
- Re: Rate Stratfor's Incident Response Sanguinarious Rose (Jan 14)
- Re: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 14)
- Re: Rate Stratfor's Incident Response Sanguinarious Rose (Jan 14)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 14)
- Re: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 13)
- Re: Rate Stratfor's Incident Response metasansana (Jan 17)