RE: Things to do before vulnerability disclosure

["Paul Melson" <pmelson () gmail com>]

> Does someone have been accused before to have found a bug?  For
> example in the Windows XP EULA license there is the following point:

There are lots of examples of vendors suing or otherwise going after
researchers for disclosing vulns.  For some vendors, it's a standard
response. 


> Finding a bug and writing an exploit could imply disassembly/debugging
> proprietary code.  This possibly cause a violation of the software
> license.  Notifying it to Microsoft, for example, could have a bad
> side effect...

It certainly could.  If you discover a new vulnerability during the course
of consulting work, your first responsibility is, IMHO, to your client.
They paid you to do this work, and therefore they deserve input into the
process.  The responsible thing is to work through them and their support
agreement or license with the vendor to report the bug and help the vendor
duplicate and analyze it, as well as helping the client test any fix that
the vendor provides.  This means not disclosing the vuln until after a fix
has been released, and often not at all.

PaulM


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------