On 7/6/12 1:48 PM, Thor (Hammer of God) wrote: > I already covered that -- if they don't fix it, the publish it. > Also, if a vendor has a "venerability" to the community, then they > would obviously fix it. > > There's no "responsibility" to disclose anything. FD doesn't exist > to satisfy some requirement for researchers to publish vulnerability > -- it exists so that people can market themselves. The "we must > disclose this so that people will know and they can protect > themselves" is simply a justification for the aforementioned. These > people don't give a fat fuck about the industry or protecting other > people. If they did, they would just post "hey, there's a vuln in > this product, email me and I'll tell you about it." When no-one > emails them (because this limited audience doesn't care) they don't > get their "deserved cred" and post it. > > Nobody cares, and nobody remembers... his FD will simply be another > tit in the peep show. People like 0DayInit and Litchfield did it the > SMART way. They have a client base who have purchased a product to > protect them from these vulnerabilities. People who purchase the > product are protected in the meantime, as the vuln is actually > addressed in the product. It actually works in their favor of the > vendor to take longer as it makes the product more valuable. > > > Vendors want "responsible disclosure" so they can assign priority to > plan release cadence. Disclosures want recognition, or payment, or > both. Each will do what is in their own best interest. But let's > not pretend it is anything other than what it is. > > t > > > > From: Peter Dawson <slash...@gmail.com <mailto:slash...@gmail.com>> > Date: Friday, July 6, 2012 10:24 AM > To: Timothy Mullen <t...@hammerofgod.com <mailto:t...@hammerofgod.com>> > Cc: "full-disclosure@lists.grok.org.uk > <mailto:full-disclosure@lists.grok.org.uk>" > <full-disclosure@lists.grok.org.uk > <mailto:full-disclosure@lists.grok.org.uk>> > Subject: Re: [Full-disclosure] How much time is appropriate for fixing > a bug? > > Thor (Hammer of God) : <If and when they fix it is up to them.> > > so if vendor don't fix it /ack the bug.. then what ?? > Responsibility works both ways.. Advise the vendor.. if they say fuck > it.. I say fuck u.. and will advise the community ! > > There is a responsibility to disclose a venerability to the community > so that they can take down/block /deactivate a service . > > ".All that is necessary for the triumph of evil is that good men do > nothing. " -whoever ..fuck it ! > > /pd > > > On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God) > <t...@hammerofgod.com <mailto:t...@hammerofgod.com>> wrote: > > Well, I have to say, at least he's being honest. If the guy is > chomping at the bit to release the info so he can get some > attention, then let him. That, of course, is what it is all > about. He's not releasing the info so that the community can be > "safe" by "forcing" the vendor to fix it. He's doing it so people > can see how smart he is and that he found some bug. So Joro's > reply of "fuck em" is actually refreshingly honest. > > Regarding "how long does it take," it is completely impossible to > tell. If someone fixed it in 10 minutes, good for them. It could > take someone else 10 months. Any time I see things like > Wikipedia advising things like "5 months" I have to lol. They > have no freaking idea whatsoever as to the company's dev processes > and the extend that the fix could impact legacy code or any number > of other factors. I would actually have expected code > bug-finders to have a better clue about these things, but > apparently they don't. > > MSFT's process is nuts -- they have SO many dependancies, so many > different products with shared code, so many legacy products, so > many vendors with drivers and all manner of other stuff that the > process is actually quite difficult and time consuming. Oracle is > worse -- they have the same but multiplied by x platforms. Apple > I think has it the "easiest" of the big ones, but even OSX is > massively complex (and completely awesome). > > It is all about intent: if you want to be recognized publicly for > some fame or whatever, just FD it because chances are you will > anyway. If you really care about the security of the industry, > then submit it and be done with it. If and when they fix it is up > to them. > > t > > > > From: Gary Baribault <g...@baribault.net <mailto:g...@baribault.net>> > Date: Friday, July 6, 2012 7:59 AM > To: "full-disclosure@lists.grok.org.uk > <mailto:full-disclosure@lists.grok.org.uk>" > <full-disclosure@lists.grok.org.uk > <mailto:full-disclosure@lists.grok.org.uk>> > Subject: Re: [Full-disclosure] How much time is appropriate for > fixing a bug? > > Hey Georgi, > > Didn't take your happy pill this morning? > > I would say that the answer depends on how the owner/company > answers you, if you feel that their stringing you along and you > have given them some time, then warn them that your publishing, > give them 24 hours and then go for it. Obviously it depends on the > bug and the software, I major bug in a large program will take > longer, and so long as they are talking to you, and you don't miss > your morning happy pill, you can wait, a small bug in a small > program shouldn't take as long. There is no one answer to your > question, if you are having an interactive discussion with them, > then be patient, otherwise, Georgi's answer is a good one if they > are ignoring you or stringing you along. > > > Gary B > > On 07/06/2012 10:33 AM, Georgi Guninski wrote: > > On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote: > >> After having reported a security-relevant bug about a > smartphone, how long would > >> you wait for the vendor to fix it? What are typical times? > >> > >> I remember telling someone about a security-relevant bug in his > library some time > >> ago - he fixed it and published the fixed version within ten > minutes. On the > >> other hand, I often see mails on bugtraq or so in which the > given dates show that > >> the vendor took maybe a year or so to fix the issue... > > > > > > > > > > when i was young i asked a similar question. > > > > if you ask me now, the short answer is "fuck them, if you are > > killing a bug the time is completely up to you." > > responsible disclosure is just a buzzword (the RFC on > > it failed). > > > > you have bugs, they don't have. > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > <http://lists.grok.org.uk/full-disclosure-charter.html> > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ I find you honesty refreshing.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/