Full Disclosure mailing list archives

Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere)

From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Tue, 23 Apr 2013 10:04:32 -0700

Valdis.Kletnieks () vt edu wrote:

On Tue, 23 Apr 2013 09:22:36 -0700, Tavis Ormandy said:

Easy and nonsense, I really hope you don't think this is about credit.


I mention the credit issue only because some people *have* gotten peeved
when they contact a vendor and the vendor issues an advisory that doesn't
give them a shout-out.  So for at least *some* researchers, the lack of
vendor notification *is* about the credits.


Sure, but how does full disclosure solve that? Most vendors refuse to credit
researchers who don't play by their rules (which is almost universally tell
them and then keep quiet until they give you permission to speak) - so if
you're primarily driven by vendor credit, you should not choose full
disclosure.

Trivializing full disclosure as something people do for "shout outs" then
calling it "blackhat" is unfair and inaccurate, but we're used to this from
the Scott Culpists ;-) 


Tavis.

-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere), (continued)
- - - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Gregory Boddin (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Benji (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) dawg (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Georgi Guninski (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Gregory Boddin (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Georgi Guninski (Apr 24)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Valdis . Kletnieks (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Gary Baribault (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Tavis Ormandy (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Valdis . Kletnieks (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Tavis Ormandy (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Georgi Guninski (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Taylor Burke (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Gary Baribault (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Valdis . Kletnieks (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Mark Felder (Apr 23)
    - Re: 0day Vulnerability in VLC (this is my first release of the vuln anywhere) Tavis Ormandy (Apr 23)