It’s just: what could that new approach look like?
Luca Carettoni - @_ikki
If the vendor doesn't care (hey Mary!), digital self-defense in the form of full disclosure is a valid alternative, so that the community can work together on creating mitigations and resilient infrastructure in a timely manner. In these situations, Google's 90-day disclosure deadline is an example of a mechanism used to improve industry response times to security bugs.
Michele Orrù - @antisnatchor
- Keep it private and use it during legit penetration tests or red team engagements, then report it to the vendor 12 months later because it’s Unholy Christmas time;
- Sell it just like a PoC, or sit on it to achieve full RCE and then sell it to some broker;
- Just go Full Disclosure and publish as a fake persona to cause mayhem;
- Privately report it to the vendor, helping them fixing it, etc.
Luca De Fulgentis - @_daath
Ethical hacking’s deliverables are often intended as weapons to fuck up or deceive someone: technology or services providers, colleagues, managers and sometimes even customers. And let me say that out there most of the security firms and related professionals blindly accept this perverse “game”, even if they are claiming to be "ethical" or "white-something" - after all, business is business.