Re: Where are you guys standing re: the (full) disclosure

[Georgi Guninski <guninski () guninski com>]

On Fri, Dec 13, 2013 at 10:06:48AM -0500, Mikhail A. Utin wrote:
> Answers:
> 1. Whether you are right and there is a bug, lrt the vendor (M$) know; that is ethical. They will decide if to 
> consider your finding as a bug. Your following steps depend on their opinion on the finding.
> 2. If you keep it for yourself - no problems. If you disclose on Internet before informing M$, there is certain risk, 
> but first of all it is not ethical. If you sell it as an exploit, and it will be widely used as 0-day, then it might 
> be a hunt for your head with some bounty (you are not relly breaking a law as I wrote below, but angry government may 
> find something suitable for you) . So, you need to consider risks and how to hide your identity. If you found bug not 
> breaking MS code and not accessing to a computer illegally, you do not break any formal law. Breaking MS code may be 
> considered as a violation of their property rights, but MS guys should be really angry to pursue such case.
> As you describe, you did not do anything illegal and releasing the finding is up to you, again - ethics.
> 3. Will make you a star, but not shining brings more risks.
>
> Shortly - inform M$ first and wait what they said. If they do not agree - you are free to go.


I completely disagree with this answer.

YOU turn the other cheek, not bug hunters.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/