Re: Submission

[hellnbak () HUSHMAIL COM]

Thanks for your reply Georgi.

> I rarely reply to "lame shit" as defined by the anonymous author but
> since he offends me publicly I must reply.

Wasn't attempting to offend anyone, for that I do apologize.

> 1) Regarding my relations with AOL: Your conspiracy theory is wrong.
> I
> own a software company in Bulgaria.
> My company has a contract with AOL for finding bugs in Mozilla/Netscape
> 6. AOL pay my company only for finding bugs in Mozilla/Netscape and
> for
> nothing more. AOL does not require from me to find bugs in any other
> product or service. I have posted several vulnerabilities in Microsoft's
> product long before I had any relations with AOL.

Why do you choose to not publically disclose the Netscape problems?  Why
are you allowing Netscape/AOL to prove that deep pockets and 7 figure pay
offs can keep people quiet?

It is pretty convieniant for Netscape/AOL isn't it.  Hire you, you keep
quiet about them and seem to speak up about MS.

> 3) Do you think I am so exceptional to be the only one in the world
> to
> find these vulnerabilities? I believe I am not.

You are correct, while I do believe you have a talent, I do not believe
that you are the only one.

> 4) Would you prefer not to post anything to Bugtraq and on my web site?
> Would you feel safer then?

Of course not.  I would feel safer however, if you would at least show some
cooperation and help fix the problems you find.  Your last advisory, #30,
 gave the vendor, in this case MS again, 2 days notice.  Why are you unable
to show a little cooperation for the vendor?  I know you and a lot of people
generally hate microsoft, but why let the industry suffer because of it.
 The longer your findings go unfixed, the more danger there is to all of
us.  I agree that taking months to fix something is way to long, but I disagree
with your precieved lack of cooperation.

> 5) I think the security state of most of the software industry right
> now
> is extremely bad, reaching nightmare. But the problem are not people
> who
> discover the vulnerabilites but the people who ship the
> products/services with vulnerabilities.

I think it is extremely bad but slowly improving.  I agree that the problem
is not the bug finders, the responsible ones anyways, the problem is the
market in general.  Consumers and shareholders squeeze the vendors to rush
products out the door.  These same comsumers then bitch when problems are
found.

> 6) Regarding vendor response times: on my site there are vulnerabilities
> which are not fixed for 4 months and still work.

I agree, 4 months is way too long for a bug to go unfixed.  But why not
cooperate with the vendor, why not  answer their questions and help them
develop a fix.   I remember a post a while back from you that said, "Why
should I help the vendor".   My question to you is, why not help the vendor?
 You said yourself, that they have to get their acts together why not assist
in that process like the rest of us are?