Re: [Full-disclosure] Vulnerabilities Hashes DB needed



As I do believe in responsible disclosure, I don't agree with 'giving up
and
launchin 0days' so that vendors eat their s**t, the following is what I
think is the best solution for it.

Solution:
-------------

Once I developed this, vendors were typicaly fast to respond...
http://www.exploitlabs.com/disclosure-policy.html

This link is sent upon first contact to the vendor with PoC.
Further you should date your PoC and research notes, another good
tactic to take is to place your advisory on a webserver, accessable to
the vendor but not the public. This also helps establish your timeline so
a vendor cannot claim it was fixed "on foobar date" and you get no credit.
With over 50 security advisories to date, I have not had the issue
you are having.

Some disclosure asset links
http://www.wiretrip.net/rfp/txt/ietf-draft.txt
http://www.oisafety.org/
http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf


Some stories on disclosure and credit
http://blogs.zdnet.com/Ou/?p=465
http://blogs.securiteam.com/index.php/archives/133
http://www.theregister.co.uk/2001/11/14/ms_security_framework_is_another/


hope this helps,
Donnie Werner
http://www.exploitlabs.com
http://www.zone-h.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Stop Debtor Harassment!!! seeking others for law suit against Harris & Dial
    ... The vendor has the right to do that. ... credit bureau address the vendor provided)? ... This answer must not be relied on as legal advice for the reasons posted ...
    (misc.legal)
  • RE: Unresponsive Vendor
    ... I was going to recommend reading that as well -- as you already did, ... Subject: Unresponsive Vendor ... not give credit were due. ... and once again I wont get credit. ...
    (Security-Basics)
  • Re: Unresponsive Vendor
    ... security vendor's vulnerability research group, ... Subject: Unresponsive Vendor ... credit would be to add it to my resume. ... > discovery, but I think your better served just releasing the fact that you ...
    (Security-Basics)
  • Re: Unresponsive Vendor
    ... its a bit imature to complain about not getting credit for discovering a ... I understand that you'd like credit for your ... Subject: Unresponsive Vendor ... and once again I wont get credit. ...
    (Security-Basics)
  • Re: [Full-disclosure] Vulnerabilities Hashes DB needed
    ... This link is sent upon first contact to the vendor with PoC. ... a vendor cannot claim it was fixed "on foobar date" and you get no credit. ... With over 50 security advisories to date, I have not had the issue ... Some disclosure asset links ...
    (Bugtraq)