Re: How to Report a Security Vulnerability to Microsoft

[Dan Becker <geggam () gmail com>]

On Apr 11, 2005 1:56 AM, tuytumadre () att net <tuytumadre () att net> wrote:
>  

> Mr. Guninski, although I am a huge fan of your work, I could not disagree
> more. I am sending this email from Redmond where I was invited by Microsoft
> to a small conference about security (it was mostly about what they go
> through when stuff is reported). "M$", as you call it, is not trying to get
> your 0days. They simply want to protect customers, and, although a large
> part about it is profits, the concern is mostly (as far as I know) about the
> users. Microsoft's biggest fear is wide-spread virus epidemics, so when a
> critical vulnerability is fully disclosed without prior notice to MSRC,
> Microsoft goes into an emergency state and everyone gets off of vacation
> early to come in and help resolve the issue (as was the case with my
> auto-sp2rc release in December, also called "Paul's Christmas" by MSRC
> employees). Microsoft knows that security researchers hang out on lists like
> fd a bugtraq, so what better place to eliminate t he common improper
> disclosing ignorance than to provide clear, concise instructions directly on
> the security hotspots? 
>
>   
>
> Regards, 
>
> Paul 

Dumb question... since this is openly admitted as for profit you are
posting this... what are you paying for exploits ?

We all know others pay for them.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/