Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Thu May 28 2009 - 16:27:00 CDT
InterN0T is about Hacking. (if you have seen the introduction)
To me, Hacking is primarily about learning how and why things works as they do and if they can be changed (improved or abused in this case) and of course, sharing what you find out so the community can benefit from it!
Afterwards, the developers can learn to code more secure (if you find a vulnerability). However, as we all might know: Security is a human factor and will always be a problem.
If i would contact the vendor as the first thing each time, how would people be able to learn from my research if it's not even possible to get an earlier version where the vulnerability is included in?
Consider the alternatives (where i don't contact the vendor):
- Sell the vulnerability and know people will exploit people in the dark.
- Keep it to myself and exploit people.
- Share it among a little group of people and let them play/exploit with it.
Taking that into consideration makes public disclosure sound like a good option to me. :-)
All of the best,
PS: Yes, i know people will exploit the issue / vulnerability in the public disclosure method, but in this case the dealer actually has a chance of fixing it and usually they will fix it faster because it's a lot more urgent.
It might stress them, but if they just made sure all function calls and user input (forms) were validated properly then i wouldn't have been able to find these holes in the first place ;-)