Re: How much time is appropriate for fixing

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

  I feel compelled to point out that disclosing a bug *is*
contributing.  It requires a lot of time and effort to find a bug,
which is a contribution to the target software, even if only seen as
free quality assurance work.  Disclosure is undeniably inconvenient
for vendors, but it is demonstrably one of the surest ways to ensure a
fix is developed.  Security researchers arguably have as much
responsibility to end users as to vendors.  If a researcher finds a
bug, unless they believe they are the best person in the world at what
they do, they must conclude black hats have access to the bug.
Disclosing the bug is the lowest resistance way for a researcher to
concurrently inform the user base and provide impetus for the vendor
to fix the issue.  The proposition that disclosure is purely selfish
ego stroking ignores the viewpoint that disclosure is a moral
obligation, which is just as valid.  Maslow's hierarchy of needs
clearly illustrates that not everyone is motivated by getting paid or
getting laid.

Justin C. Klein Keane
http://www.MadIrish.net


On 7/10/12 11:42 AM, Mikhail A. Utin wrote:
> Hello, I completely agree with Thor. We have to do something for
> free. We have to contribute, not just use. Whoever and whatever. 
> Examples: - This list is ran for free (hardware, software, time,
> energy are used for) and giving us a chance to communicate - The
> most of us use Linux, whichever flavor you prefer. The most of it
> is free time contribution. Somebody pays for that, but we use. It
> is nice to be paid for something, but consider the alternative.
> Otherwise our communications will die and we do not have an OS for
> a fun or profit.
>
> Mikhail Utin
>
> -----Original Message----- From:
> full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
> full-disclosure-request () lists grok org uk Sent: Tuesday, July 10,
> 2012 7:00 AM To: full-disclosure () lists grok org uk Subject:
> Full-Disclosure Digest, Vol 89, Issue 11
>
>
> ------------------------------ Message: 7 Date: Mon, 9 Jul 2012
> 17:24:51 +0000 From: "Thor (Hammer of God)" <thor () hammerofgod com> 
> Subject: Re: [Full-disclosure] How much time is appropriate for
> fixing a bug? To: Georgi Guninski <guninski () guninski com>, Stefan
> Kanthak <stefan.kanthak () nexgo de> Cc:
> "full-disclosure () lists grok org uk" 
> <full-disclosure () lists grok org uk> Message-ID:
> <CC205E3D.3561%thor () hammerofgod com> Content-Type: text/plain;
> charset="Windows-1252"
>
> I'm not contradicting myself at all - in fact, *you* are the exact
> type of person I'm talking about.  You couldn't give a rat's ass
> about the industry or anyone but yourself.  Nothing you have ever
> done has been "valuable" to anyone other than you; it has been
> completely self-serving egotistical bullshit.
>
> CONFIDENTIALITY NOTICE: This email communication and any
> attachments may contain confidential and privileged information for
> the use of the designated recipients named above. If you are not
> the intended recipient, you are hereby notified that you have
> received this communication in error and that any review,
> disclosure, dissemination, distribution or copying of it or its 
> contents is prohibited. If you have received this communication in
> error, please reply to the sender immediately or by telephone at
> (617) 426-0600 and destroy all copies of this communication and any
> attachments. For further information regarding Commonwealth Care
> Alliance's privacy policy, please visit our Internet web site at
> http://www.commonwealthcare.org.
>
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iPwEAQECAAYFAk/8VS0ACgkQkSlsbLsN1gA5RgcApTGAv88GuYgajw8w0FykzmWo
vowU93XaMyKWNVxarZMfXid+qLtvSMZz5HY57sl24nKADEBbHKI02Nr1+4sU05m0
Xe7oKXGtJW4uExnNXo+3IpxpGLI5/kbE56SDNGblkTd36kzUUgVnhIw+FRpHT07F
zzhfQ8Xn2o5vHGXLFhZZSozJ99GAnwI1JnpP/4eMmmuW3Z+vE+rmFLg/HcR6ZG0M
Bret3FTkm654erG+P0POQk/JqfTn9oFZk9ASCDHEX9vdHh5EdIAfmx+Gkgo7c6kN
Uw5TjOElJJxmp+xiDTk=
=tkmh
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/