[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux
From:       n3td3v <n3td3v () gmail ! com>
Date:       2006-04-27 19:51:37
Message-ID: 3a166c090604271251s1da61115j7ab11847218ef2d9 () mail ! gmail ! com
[Download RAW message or body]

> Georgi Guninski wrote:
> > dear "Matthew",
> >
> > are you by any chance MCSE, MVP or something like this?

The folks I know at Yahoo and Google started being engineers when they
were like 24 and are still in the security industry at 30.
thirty-something is the prime age for corporate security, Its the age
you're in your prime. You can't beat it. The guys I know find hundreds
of bugs a year in Google and Yahoo and don't blink an eye lid about
the most serious of vulnerabilities. They report them to Yhaoo, Google
and forget. Some of them get released as patches, some don't.
Professionals don't care, they are doing a job. And these guys I know
aren't exactly whitehats, but while they're at work, they treat it as
a professional job, and whatever is found at work, stays at work. They
have a contract before they are allowed to be a security engineer,
that they need to keep it private, until the time is chosen for patch
release. And even then, they don't declare they found a particular
vulnerability, through choice. Its not being a whitehat, half the
folks I know are rogue employees, who work on seperate projects out of
work, and are blackhat happy, thats the difference between a mailing
list vulnerability researcher, and a researcher who isn't interested
in fame. Its about telling the vendor, sure, you can tell a mailing
list, like most mailing list folks do, but don't expect corporate
security policy to change or be rushed because you've typed up a
convincing "Vendor Response" article at the bottom of your advisory.
There is a clear distinction between fame hungry folks and folks who
just want to tell a vendor about something,a dn don't care if its
patched, and like I've said already, blackhat or whitehat doesn't come
into it, because theres folks working as security engineers ona 
professional level who also work in the underground on malicious
projects. which also they never disclose in public as being related to
them.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]