Re: [Full-disclosure] requesting info



i'm just a new guy to this community...i was asking about the right
procedures that one should do when he/she discovers a vulnerability in and
application or operating system

Generally, the most accepted procedure is to :

1) notify the vendor, including the specific conditions (and/or code)
required to invoke the exploit. Give then at least 30-60 days to chew on
it and come up with a fix.

2) notify the community, but withhold specific details needed for your
average point-and-click scriptkiddie to create an exploit (eg: name the
program, function, etc. but don't provide specifics).

3) wait .. how long you wait is a subject of debate .. but most folks
either give the vendor a fixed amount of time, either from the original
notice (good), or from the time the vendor releases a patch (better).

4) release the vulnerability details publicly, including source code.
The value of releasing the specifics is debatable, but it certainly
helps community-supported projects like Nessus, and those of us that
can't cough up the tens-of-thousands for a "commercial" vuln-scan product.


also what is the right procedure to make in order to publish a new hacking
technique to that it's know by the name of the publisher

Generally (and with the exception of Microsoft), most vendors will give
you credit for a discovery. Most folks publish with a LGPL-ish license
that both requires attribution and restricts closed-source commercial use.

If you publish to FD, and sign with your PGP key, it'll be hard for a
vendor to claim later that they came up with it on their own.

..

The main thing is to recognize that many in the community are smart
enough to figure out where the problem is based on minimal details
(function, type of exploit, etc) without having the exact details (for
example, we can set a killbit on an ActiveX object without needing to
know exactly what's wrong with it).

You want to help the software (or hardware) manufacturer fix the problem
before you "tell the world" exactly what's wrong, because you want to at
least make the bar high enough that script-kiddies can't just
incorporate your code into their latest "bot".

If the manufacturer ignores your legitimate attempts to inform them
about a problem, or stalls perpetually, then it's an accepted practice
to go ahead and embarrass them by releasing the exploit after a
reasonable length of time.

It's this "embarrassment" that keeps folks honest.

My $a { ($a = 1 * .02); }

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/