r0t FAQ edition 0.91 alfa
Hi again,
Im r0t who reports mostly about new SQL/XSS attack vulnerabilities on net.
So there is some things that i want to do clear:
1)You arent correct with you report.
1.Every from my vulnerability report is autmaticaly reported to biggest vuln. research
teams/bugtraq sites (secunia,osvdb,frsirt,security.nnov.ru)So, thats mean or you are more skilled that we all together or you mis.. some stuff. 99% of all my reports are later verified by biggest and best vulnerability researchers on the world.
So i have mistakes also with my reports , cauz sometimes i report vuln. for software which dont have any public demos or trial versions and my test are only tested on "case study" or clients who use that software.
In that way sometimes vuln researchers after me to verify my report have big problems with that, cauz who wanna test in real examples and of course its illegal, so you can only imagine how is to prove something doing test on bank sites and .gov sites.
about that of course i have problems with governments,police and other structures who fight vS "hackers" at all , but its my problem ,not yours.
Do it mean that i had broken laws with my tests and reports?
Yes of course, but as i used only for testing and reporting, i can answer in any justice for that, for my tests and reports.
2)Next time report to vendor!
2.Why i dont report to vendors about vulnerabilities?There was few times when i did report and one of them was Vbulletin my favorite forum developers, when from few reports i didnt get answers in some weeks i automatically forgot about reporting to vendors. Of course not all vendors is like one vendor and one vendor isnt like others.
3) Its isnt professional when you dont report to vendors.
3.Look if you are one of those vendors who are listed on my blog, so thats shows that you had mistake in your work and your product was unsecured and thats means that you arent professional, im not a developer im only pentester.
4)Give me live example.
4. If you arent from Secunia,frsirt,osvdb or vendor i will not provide you with any live examples or HowTo´s.So anyway forget about that and RFM!
5)We had fixed that in new release,delete your report.
5.Look Im very glad that you had fixed that vuln., but your vuln. version of your developed software is already in use and many people will use it for while.
Its my reports and nothing will be deleted only if i will recognize that it was my mistake.
6) You are hacker.
6. I never had that idea that im hacker , hacker for me i guru in that skills and knowledge that i dont have. I do only my "job" i report about unsecure systems, with wish that not a vendor ,but software potentional user will now about unsecured systems and he will get more easy to chose witch one software he will use in his project.
Yes of course i admit and moderate some hacker and security boards now , but there i am with another "ID", cauz sometimes to be a r0t, can very dangerous.
PS.
I hope this FAQ will give answers to most of your questions, if you have any another questions about me or my reports you can mail me: krustevs[at] gmail.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment