-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ... really? so everyone who believes in full disclosure is a blackhat now? by your definition, even those who follow RFPolicy are blackhats as well. your "ethics" are severely flawed, and are malaligned with the philosophies that many security professionals subscribe to.
to the original poster: if you independently discover a vulnerability, its yours. do what you want with it. - -----Original Message----- From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On Behalf Of nrmaster Sent: Tuesday, June 16, 2009 8:40 AM To: pen-t...@securityfocus.com Subject: Re: Things to do before vulnerability disclosure In stark contrast to what a black hat would do (publish or more likely sell it on the black market), an ethical security expert ought to try to notify the vendor so that a patch or fix can be incorporated into the next hot fix and distributed to the public before the details of the exploit are widely available. This sort of approach also fortifies our posture as vulnerability researchers rather than security bug searchers. Obviously, any legal or regulatory obligations will depend on your local laws and/or regulations. Cheers - -- View this message in context: http://www.nabble.com/Things-to-do- before-vulnerability-disclosure-tp24044921p24057042.html Sent from the Penetration Testing mailing list archive at Nabble.com. -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAko38b0ACgkQacHgESW3wZoaFgP/bHnuOwIPS6UfiMxYgl/5fsP0RYFz p4W7eYVLIZ09iHc8TQVroDRkVbUCnkzhGXpf6ABb2JOFaP4gmki5GmQ8X9NUCy4u8uzh bP1qf3tEwfGttWIXFrscZ0iL0VGOrLWBOAS8KxTIYjceasWMXt4MU9mcmgPauNo3lZVS kdkp+xg= =5tG2 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/