Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Things to do before vulnerability disclosure

From: Giuseppe Fuggiano <giuseppe.fuggiano () gmail com>
Date: Tue, 16 Jun 2009 09:29:09 +0200
2009/6/16 Geoffrey J Gowey <gjgowey () gmail com>:

Print out the note to them from a library, pick up note using gloves, put
note in self sealing envelope (minus return address), put on self adhesive
stamp, then mail note from a public box in another town.  Or you could email
them and find out the hard way how much of a sense of humor their corporate
security department has (read: lawsuit).


Does someone have been accused before to have found a bug?  For
example in the Windows XP EULA license there is the following point:

4. LIMITATIONS ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY.
You may not reverse engineer, decompile, or disassemble the Software,
except and only to the extent that such activity is expressly
permitted by applicable law notwithstanding this limitation.

Finding a bug and writing an exploit could imply disassembly/debugging
proprietary code.  This possibly cause a violation of the software
license.  Notifying it to Microsoft, for example, could have a bad
side effect...

-- 
Giuseppe

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: