Full Disclosure mailing list archives
Re: Where are you guys standing re: the (full) disclosure
From: Georgi Guninski <guninski () guninski com>
Date: Fri, 13 Dec 2013 17:12:02 +0200
On Fri, Dec 13, 2013 at 10:06:48AM -0500, Mikhail A. Utin wrote:
Answers: 1. Whether you are right and there is a bug, lrt the vendor (M$) know; that is ethical. They will decide if to consider your finding as a bug. Your following steps depend on their opinion on the finding. 2. If you keep it for yourself - no problems. If you disclose on Internet before informing M$, there is certain risk, but first of all it is not ethical. If you sell it as an exploit, and it will be widely used as 0-day, then it might be a hunt for your head with some bounty (you are not relly breaking a law as I wrote below, but angry government may find something suitable for you) . So, you need to consider risks and how to hide your identity. If you found bug not breaking MS code and not accessing to a computer illegally, you do not break any formal law. Breaking MS code may be considered as a violation of their property rights, but MS guys should be really angry to pursue such case. As you describe, you did not do anything illegal and releasing the finding is up to you, again - ethics. 3. Will make you a star, but not shining brings more risks. Shortly - inform M$ first and wait what they said. If they do not agree - you are free to go.
I completely disagree with this answer. YOU turn the other cheek, not bug hunters. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Where are you guys standing re: the (full) disclosure Mikhail A. Utin (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure Georgi Guninski (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure Gary Baribault (Dec 13)
- <Possible follow-ups>
- Re: Where are you guys standing re: the (full) disclosure imipak (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure Georgi Guninski (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure Gary Baribault (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure Jeffrey Walton (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure Gary Baribault (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure Paul Ammann (Dec 14)
- Re: Where are you guys standing re: the (full) disclosure Jordon Bedwell (Dec 14)
- Re: Where are you guys standing re: the (full) disclosure Gary Baribault (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure Jordon Bedwell (Dec 14)
- Re: Where are you guys standing re: the (full) disclosure Georgi Guninski (Dec 13)
- Re: Where are you guys standing re: the (full) disclosure Georgi Guninski (Dec 13)