> Georgi Guninski wrote: > > dear "Matthew", > > > > are you by any chance MCSE, MVP or something like this?
The folks I know at Yahoo and Google started being engineers when they were like 24 and are still in the security industry at 30. thirty-something is the prime age for corporate security, Its the age you're in your prime. You can't beat it. The guys I know find hundreds of bugs a year in Google and Yahoo and don't blink an eye lid about the most serious of vulnerabilities. They report them to Yhaoo, Google and forget. Some of them get released as patches, some don't. Professionals don't care, they are doing a job. And these guys I know aren't exactly whitehats, but while they're at work, they treat it as a professional job, and whatever is found at work, stays at work. They have a contract before they are allowed to be a security engineer, that they need to keep it private, until the time is chosen for patch release. And even then, they don't declare they found a particular vulnerability, through choice. Its not being a whitehat, half the folks I know are rogue employees, who work on seperate projects out of work, and are blackhat happy, thats the difference between a mailing list vulnerability researcher, and a researcher who isn't interested in fame. Its about telling the vendor, sure, you can tell a mailing list, like most mailing list folks do, but don't expect corporate security policy to change or be rushed because you've typed up a convincing "Vendor Response" article at the bottom of your advisory. There is a clear distinction between fame hungry folks and folks who just want to tell a vendor about something,a dn don't care if its patched, and like I've said already, blackhat or whitehat doesn't come into it, because theres folks working as security engineers ona professional level who also work in the underground on malicious projects. which also they never disclose in public as being related to them. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
