Reporting Vulnerabilities Is For The Brave 245
An anonymous reader writes "A recent post on the CERIAS weblogs examines the risks associated with reporting vulnerabilities. In the end, he advises that the risks (in one situation, at least) were almost not worth the trouble, and gives advice on how to stay out of trouble. Is it worth it to report vulnerabilities despite the risks, or is the chilling effect demonstrated here too much?"
Apropos Comment (Score:4, Funny)
I stick my neck out for nobody. -- Humphrey Bogart, "Casablanca"
Ah well, at least we'll always have Paris.
Re:Reporting vulnerabilities safely? (Score:4, Funny)
3) Walk around until you find an unsecured AP of somebody you don't like.
So then the common computer illiterate that didn't have his AP properly secured gets hassled by the police instead.
You know what they say... (Score:5, Funny)
Simpler than unsecured Wi-Fi (Score:5, Funny)
Run an end-around (Score:1, Funny)
In short, post them as anonymously as possible. Don't go through the fucking "right" channels, because they are looking to retain their share-holders confidence. Which is why you heave a god damn shitbomb into their office and let them sort that son of a bitch out. Eventually, people will start taking security fucking seriously. They will start asking about NetBSD, hooking up hardware firewalls, and thinking twice before shopping at Best Buy. And the you won't be sitting in jail because you reported a 0-day exploit to M$/Apple/Redhat/Berkeley/FuckingSCOX.
Run an end-around. Works for football, works for World War II submarines, and it works for reporting vulnerabilites.