full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Vulnerabilities Hashes

Re: [Full-disclosure] Vulnerabilities Hashes DB needed

From: Morning Wood <se_cur_ity_at_nospam>
Date: Sun May 06 2007 - 18:26:50 GMT
To: "shadown" <shadown@gmail.com>, <dailydave@lists.immunitysec.com>, <full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com>


> As I do believe in responsible disclosure, I don't agree with 'giving up
> and
> launchin 0days' so that vendors eat their s**t, the following is what I
> think is the best solution for it.
>
> Solution:
> -------------

 Once I developed this, vendors were typicaly fast to respond... http://www.exploitlabs.com/disclosure-policy.html

 This link is sent upon first contact to the vendor with PoC. Further you should date your PoC and research notes, another good tactic to take is to place your advisory on a webserver, accessable to the vendor but not the public. This also helps establish your timeline so a vendor cannot claim it was fixed "on foobar date" and you get no credit. With over 50 security advisories to date, I have not had the issue you are having.

Some disclosure asset links http://www.wiretrip.net/rfp/txt/ietf-draft.txt http://www.oisafety.org/ http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf

Some stories on disclosure and credit http://blogs.zdnet.com/Ou/?p=465 http://blogs.securiteam.com/index.php/archives/133 http://www.theregister.co.uk/2001/11/14/ms_security_framework_is_another/

hope this helps,
Donnie Werner
http://www.exploitlabs.com
http://www.zone-h.org


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.