Full Disclosure mailing list archives
Re: <b>Where are you guys standing re: the (full) disclosure question?</b>
From: Dieyu <dieyu () dieyu org>
Date: Sat, 14 Dec 2013 02:52:33 +0000
Q: 1. should I tell MS first? A: Microsoft is just a big company - there are good guys(my good friend was there), and there are bad guys(who think too much about money, etc). So, it's up to you whether you email secure@ms. Another factor: it can take months for a bug to be fixed(first MSRC checks it, then product team fixes it, then release - all steps take a lot of time). Guninski "give them a few seconds" - if you want to work with Microsoft, you got to be a little patient. Q: 2. being this is possibly my first bug as a researcher, will this get me into trouble (legal or otherwise)? A: No, publishing before fix will not get you into trouble. Guninski "if they sue you" - they won't sue you(Guninski did it before on Microsoft products, and he is fine). Q: 3. will this make me a rock star? A: Ah, this depends on the impact. __________ http://offlinechromeinstaller.com/ On Fri, Dec 13, 2013 at 3:08 PM, Georgi Guninski <guninski () guninski com>wrote:
On Thu, Dec 12, 2013 at 10:02:55PM -0400, Pedro Luis Karrasquillo wrote:Humans, Dwarves, Elves, Fairies and all free folk on this list: Meli Kalikimaka. I think I found a relatively small bug with Windows Server running DNSwith recursion turned off, that still allows the server to be used for DDOS amplification attacks. There are a sizable number of these on the net, and I do not think operators realize that the server is not totally silent with recursion turned off.I want to put my findings here on the list, as well as on my blog but Iam unsure if :1. should I tell MS first?if you ask me definitely no. or at most give them a few seconds.2. being this is possibly my first bug as a researcher, will this get meinto trouble (legal or otherwise)? if they sue you, I suppose this will make you a star for some time. IANAL, so take care.3. will this make me a rock star? I have details on the bug, as well as remediation steps. I would not sayI "discovered" it per se, as I found it while studying an attack on a network I protect, but I do not see it documented anywhere either.What say you, Wise List Readers?_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- <b>Where are you guys standing re: the (full) disclosure question?</b> Pedro Luis Karrasquillo (Dec 13)
- Re: <b>Where are you guys standing re: the (full) disclosure question?</b> Georgi Guninski (Dec 13)
- Re: <b>Where are you guys standing re: the (full) disclosure question?</b> Dieyu (Dec 14)
- Re: <b>Where are you guys standing re: the (full) disclosure question?</b> Pedro Luis Karrasquillo (Dec 14)
- Re: <b>Where are you guys standing re: the (full) disclosure question?</b> Microsoft Security Response Center (Dec 14)
- Re: <b>Where are you guys standing re: the (full) disclosure question?</b> Jasper Kips (Dec 15)
- Re: <b>Where are you guys standing re: the (full) disclosure question?</b> Dieyu (Dec 14)
- Re: <b>Where are you guys standing re: the (full) disclosure question?</b> Georgi Guninski (Dec 13)
- Re: <b>Where are you guys standing re: the (full) disclosure question?</b> silence_is_best (Dec 14)
- Re: <b>Where are you guys standing re: the (full) disclosure question?</b> Jasper Kips (Dec 14)