Researcher Responsibilities.
Publicated on :
1192590534
Who takes responsibility first?
Since one of my Internet Explorer browser exploits is a CVE candidate - which I learned is a good thing - I visited CVE.MITRE to have a look. One thing I noticed pretty quickly is a section of their site that talks about researcher responsibilities: "The researcher must reserve candidates for a particular vulnerability from only one CNA. If the affected software vendor is a CNA, then the researcher must obtain the candidate from the vendor..."
What is responsible? Last time Microsoft contacted me to come over and have a chat about the exploit. Well, honestly I don't give a rats ass about all this stuff. So what should I do: contact MITRE first or Secunia, or Microsoft? to hell with it, I just post it here no matter what anyone thinks about it. If they won't visit my site it is their problem, not mine. I don't care about a good C.V. or a good name, I work for myself and I believe it's about time vendors start taking this stuff serious and prevent it instead of mailing back and forth for 3 months and doing nothing. Remember I'm not a security researcher, it is not my job and certainly not an excuse.
My belief:
Every security risk must be disclosed fully and as quickly as possible, this is the only way to force vendors to:
A. fix it quickly, no patch scheduling!
B. prevent it from happening again! (cause I know a dozen other exploits that could work)
C. be more responsible themselfs!
If they are so clever - and responsible - they could hire a couple of browser hackers to fully pentest that piece of crap they sell, instead they start whining about all this for how long? 10 years? Microsoft had 20 years to create a good browser, and they still suck. They should be glad I post this stuff, cause someone else probably found it before me, and kept his mouth shut and is exploiting it as we speak.
So researcher responsibilities? Yah I have one: I give my readers the truth. I give them what they probably could have found also, if they had more time to look into it, because I have smart readers!