I beleive that it is our duty to find exploits in code and to let the vendor know as well as our fellow white hats. There is definitly a procedure to follow, generally letting the vendor know about it first and foremost. But if they will not do anything or are not moving fast enough it is important to let others know about it so they can watch for it and protect themselves from it.

The truely dangerous hackers have already discovered many of these exploits and have kept them to themseleves in order to keep an effective toolkit. I guess what this comes down to is if we do not do our job of discovering exploits then only the black hats will have them. The best thing we could do for the serious black-hat hackers would be to stick our head in the sand and not look for exploits.

Having said that, if you are trying to discover these exploits on systems other than your own you are violating laws and are at the very least a grey-hat.

Generally once a exploit is discovered a patch comes out quickly thereafter, if you don't keep up with those patches you deserve what you get. If you use buggy insecure code that may be easier just expect to be patching that much more frequently.

Remember: if they outlaw hacks then only the outlaws will have them.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/270/8272#8272