On Fri, Dec 13, 2013 at 10:06:48AM -0500, Mikhail A. Utin wrote: > Answers: > 1. Whether you are right and there is a bug, lrt the vendor (M$) know; that > is ethical. They will decide if to consider your finding as a bug. Your > following steps depend on their opinion on the finding. > 2. If you keep it for yourself - no problems. If you disclose on Internet > before informing M$, there is certain risk, but first of all it is not > ethical. If you sell it as an exploit, and it will be widely used as 0-day, > then it might be a hunt for your head with some bounty (you are not relly > breaking a law as I wrote below, but angry government may find something > suitable for you) . So, you need to consider risks and how to hide your > identity. If you found bug not breaking MS code and not accessing to a > computer illegally, you do not break any formal law. Breaking MS code may be > considered as a violation of their property rights, but MS guys should be > really angry to pursue such case. > As you describe, you did not do anything illegal and releasing the finding is > up to you, again - ethics. > 3. Will make you a star, but not shining brings more risks. > > Shortly - inform M$ first and wait what they said. If they do not agree - you > are free to go. >
I completely disagree with this answer. YOU turn the other cheek, not bug hunters. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
