Penetration Testing mailing list archives
RE: Things to do before vulnerability disclosure
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 17 Jun 2009 13:37:07 -0400
Does someone have been accused before to have found a bug? For example in the Windows XP EULA license there is the following point:
There are lots of examples of vendors suing or otherwise going after researchers for disclosing vulns. For some vendors, it's a standard response.
Finding a bug and writing an exploit could imply disassembly/debugging proprietary code. This possibly cause a violation of the software license. Notifying it to Microsoft, for example, could have a bad side effect...
It certainly could. If you discover a new vulnerability during the course of consulting work, your first responsibility is, IMHO, to your client. They paid you to do this work, and therefore they deserve input into the process. The responsible thing is to work through them and their support agreement or license with the vendor to report the bug and help the vendor duplicate and analyze it, as well as helping the client test any fix that the vendor provides. This means not disclosing the vuln until after a fix has been released, and often not at all. PaulM ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Things to do before vulnerability disclosure, (continued)
- Re: Things to do before vulnerability disclosure Justin Ferguson (Jun 15)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 16)
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 16)
- Message not available
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 17)
- Re: Things to do before vulnerability disclosure Aarón Mizrachi (Jun 17)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 17)
- Re: Things to do before vulnerability disclosure Jeffrey Walton (Jun 18)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
- RE: Things to do before vulnerability disclosure Nick Vaernhoej (Jun 18)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 20)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 17)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 19)