Re: Re: [InterN0T] AMember 3.1.7 - Multiple Vulnerabilities
InterN0T is about Hacking. (if you have seen the introduction)
To me, Hacking is primarily about learning how and why things works as they do
and if they can be changed (improved or abused in this case) and of course,
sharing what you find out so the community can benefit from it!
Afterwards, the developers can learn to code more secure (if you find a
vulnerability). However, as we all might know: Security is a human factor and
will always be a problem.
If i would contact the vendor as the first thing each time, how would people be
able to learn from my research if it's not even possible to get an earlier
version where the vulnerability is included in?
Consider the alternatives (where i don't contact the vendor):
- Sell the vulnerability and know people will exploit people in the dark.
- Keep it to myself and exploit people.
- Share it among a little group of people and let them play/exploit with it.
Taking that into consideration makes public disclosure sound like a good option
to me. :-)
All of the best,
MaXe
PS: Yes, i know people will exploit the issue / vulnerability in the public
disclosure method, but in this case the dealer actually has a chance of fixing
it and usually they will fix it faster because it's a lot more urgent.
It might stress them, but if they just made sure all function calls and user
input (forms) were validated properly then i wouldn't have been able to find
these holes in the first place ;-)