Wired posted an interesting article this month discussing the benefits and losses of hackers releasing exploits out into the wild and to vendors. Some of the points I agree with, but some I do not.
I do feel that exploits should be released to the vendors before disclosure. Back in my hay-day of finding exploits, I had a set ruling:
- Find exploit
- Send any/all contacts for vendor an e-mail outlining the exploit
- Wait 7 days
- If no response, release exploit as live, otherwise publish it as is. Both scenarios would be labelled as vendor-notified
This was simple: in the e-mail, I would provide the software name and version, OS if needed along with any other system specifics, what the exploit is, does and how to patch it. I would also include a note saying that if no response is received within 7 days, the exploit will be released to the world.
My view was that it is up to the vendor at that point to either fix it, or not. None of the exploits I found was extensive (i.e.: sifting through the code of Virtual Box to find out a memory leak happens when some action occurs). It was mostly beginner stuff, such as local/remote file inclusion and cross-site scripting. Some vendors responded back, most didn’t. Out of those who did, I had a long-lasting relationship with one in fixing exploits for him.
I do not, however, condone the releasing of such information to the public without properly informing the vendor first, however (unless of course they cannot be reached). I never classified myself as any type of hat, but if I had to it’d be grey. I didn’t find exploits to ruin the lives of people, I found them because I love security. I wanted to reach out to those who needed help, and do my best. However, with-holding valuable information such as exploits for personal gain of any sort is far from beneficial to anyone, even yourself. For every exploit you can find, there’s someone out there who can find more, and they may give away your exploit before you have the chance.