Re: Unresponsive Vendor
From: Peter Schawacker (peter_at_schawacker.com)
Date: 11/20/03
- Previous message: Steve: "Re: VPN Access for Consultants"
- In reply to: Matt Burnett: "Re: Unresponsive Vendor"
- Next in thread: Matt Burnett: "Re: Unresponsive Vendor"
- Reply: Matt Burnett: "Re: Unresponsive Vendor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <security-basics@securityfocus.com> Date: Thu, 20 Nov 2003 14:21:53 -0800
Matt,
This matter might be a better candidate for securityfocus-jobs than
securit-basics. To reiterate when I think you'r saying you want to work for
a company that needs professional bug hunters but you lack a documented
track record. Maybe you could "intern" with the sort of company that the
"Unresponsive Vendor"-types would listen to -- like and Bindview, ISS or
Symantec. The next time you find a juicy bug, make a partner of one of
those companies. All you have to do is find out who's in charge of the
security vendor's vulnerability research group, which shouldn't take more
than a call to the company's tech support line. Come to think of it, if you
post a message to vuln-dev or full disclosure saying that you have a bug to
report but that you need a partner with muscle to help with it for FREE,
you'll get the right folks to respond. The deal is simple. XYZ security
gets first crack at your discovery and in turn they give you credit as a
partner. If you play your cards right maybe XYZ pays you, money or beer or
something. Your findings are valuable to somebody. I think you know who
those somebody's are. There are even companies that pay cash for bugs,
aren't there?...
Good posts. Best of luck.
Peter
Peter Schawacker, CISSP
peter@schawacker.com
----- Original Message -----
From: "Matt Burnett" <marukka@mac.com>
To: <c_brauckmiller@LEK.COM>
Cc: <security-basics@securityfocus.com>
Sent: Thursday, November 20, 2003 9:25 AM
Subject: Re: Unresponsive Vendor
Im sorry if you feel that I am being immature, the main reason I would like
credit would be to add it to my resume. I haven't worked in 4.5 months and I
could use all the help I can get. Potential employers ive talked to seem to
like stuff like this. Also I was irked by it because, for other security
flaws they have given the notifier credit. If they never gave anyone credit
I could understand that, but giving credit to people from well known orgs
and not giving credit to just some guy (like me) doesnąt make much sense.
For the person who gave the broken window analogy. I normally wouldnąt care
if it was just some random piece of software. However I use this software on
a daily basis. And when I do get another job im sure im going to have to
support it there and worry about the security flaw.
On 11/20/03 11:00 AM, "c_brauckmiller@LEK.COM" <c_brauckmiller@LEK.COM>
wrote:
>
>
> I have a couple of comments on this.
>
> First, and please don't take this the wrong way, let me state that I think
> that
> its a bit imature to complain about not getting credit for discovering a
> bug/vuln in a software package. I understand that you'd like credit for
your
> discovery, but I think your better served just releasing the fact that you
> have
> discovered it to the appropriate groups such as BugTraq. That should be
> credit
> enough. I wouldn't count on many vendors patting you on the back publicly
and
> saying "Yeah we screwed up and this guy found it."
>
> Having said that, if you haven't heard from the vendor in a month with
even a
> status update...I say screw'em...release the exploit. If they don't have
the
> common courtesy to let you know, "Hey..we are working on it." then they
are
> not
> a very good company to begin with and they should be shown that the
security
> community won't stand for it. After they get nailed a couple times,
hopefully
> they will reconsider their methods.
>
> My 2 cents worth.
>
> Craig
>
>
>
>
> Matt Burnett <marukka@mac.com> on 11/19/2003 02:02:57 PM
>
> To: security-basics@securityfocus.com
> cc: (bcc: Craig Brauckmiller/LEK)
>
> Subject: Unresponsive Vendor
>
>
>
> I have a moral question for all of you. I have notified a major software
> company in the past about security issues with their software. I did email
> them with enough details to replicate the issue. However they never
> responded to my email, and a couple years later they fixed the issue and
did
> not give credit were due. I'm sure other researchers contacted them with a
> similar but different way to exploit the flaw, but no one at all is given
> credit. Now I have a local d0s for their product and have contacted them
> again, this time via phone. After notifying them they gave me a case
number
> and said a engineer would be in contact with me in approximately a week.
I'm
> guessing that something similar will happen and this issue wont get fixed
> for a while, and once again I wont get credit. I'm just wondering what
would
> be a fair time frame before releasing a exploit, and what I could/should
do
> about receiving credit. I have looked at some papers online about when you
> should release a exploit but none i've read yet give any guidance on what
> you should do if the vendor is dragging their feet.
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
-- > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Steve: "Re: VPN Access for Consultants"
- In reply to: Matt Burnett: "Re: Unresponsive Vendor"
- Next in thread: Matt Burnett: "Re: Unresponsive Vendor"
- Reply: Matt Burnett: "Re: Unresponsive Vendor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
