GUIDE to (mostly)
More on Shortcuts to Discovering New Ways
to Break into Computers
*** What to Do with Your Discovery
The most respectable thing you can do is first contact the
organization or individual responsible for the program that your
exploit attacks. Let them provide a fix for the exploit before
you brag about your discovery (if, in fact, you decide to brag).
If you can't find out how to contact them, post a request for
contact information to the Full Disclosure email list (https://lists.grok.org.uk/mailman/listinfo/full-disclosure),
and someone (more likely several dozen people) will email you
the contact information. If you brag after the fix is released,
some people won't believe you discovered it first, and some people
will hate you for bragging. If you keep quiet, you still can
get credit by arranging for whomever you contacted about your
exploit to say good things about you when you are looking for
a job or running your own company.
In addition, it is a totally responsible choice to report
your exploit to a nonprofit or governmental body that tracks
these problems, for example Carnegie Mellon University's Computer
Emergency Response Team, http://www.cert.org/.
You can do this at the same time you contact the organization
or individual responsible for the vulnerable program, or let
CERT make that contact for you. By reporting your discovery to
one of these organizations, you have a good chance of making
brilliant and influential friends who will aid you in a career
in computer security.
Alternatively, you can sell your exploit to a legitimate computer
security company or organization such as the Zero Day Initiative:
However, if word ever gets out that you have been selling exploits,
even to respectable oraganizations, there are some in the information
technology industry (for example, Internet Security Systems,
who will hate you for it. Personally, I see nothing wrong with
this, but because this is a controversial activity, consequently
it can hurt your career.
Now for the things you can do with your exploits that may
seem like fun or might promise to make lots and lots of money,
but are highly likely to create problems for you.
Post your discovery to the Bugtraq email list (http://www.securityfocus.com). If you wait
to post until after the organization responsible for the program
with the vulnerability has provided a fix, you will be sort of
a hero. However, if you don't wait, large numbers of people will
hate you for it, and most of the people who will love you will
be noxious script kiddies. Note that many people who discover
computer security vulnerabilities never, ever post
to Bugtraq, preferring to keep quiet except within narrow professional
circles (by only notifying a CERT, their employer, or a vendor).
This is because posting under any circumstances is opposed by
some in the profession, just as selling exploits even to respectable
organizations is opposed by some.
Give your super duper secret 0-day sploit to two or three
of your closest friends. Trouble with this is that a friend might
take credit for the discovery by posting it to Bugtraq, or sell
it to criminals, or use it to commit crime, or give it to several
of his or her best friends, any one of whom might
Try to sell your exploit to the organization or individual
responsible for the victim program. This has the disadvantage
that they will hate you and accuse you of extortion.
Sell your exploit to a criminal. He/she/they may promise to
pay more. However, criminals tend to be, ahem, criminals. You
might end up feeding the fishes instead of collecting the money.
If the criminals don't get you, the authorities will. Think Club Fed.
Use your exploit to commit your own crimes. See http://happyhacker.org/crime/busted.shtml
to read about what THAT can lead to!
If you wish to delve more deeply into the issues of whether,
how and where to disclose your discoveries, you may wish to read
an excellent, excruciatingly detailed and densely academic paper
on the topic of security disclosures: "A Theory of Disclosure for Security and
Competitive Reasons: Open Source, Proprietary Software, and Government,"
P. Swire of the Moritz
College of Law of the Ohio State University. Enjoy.
© 2013, Carolyn Meinel. I give permission for you to
copy, email, or post this Guide to your website as long as you
leave this notice at the end.
Where are those back issues of GTMHHs? Check out the official
Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned
hacking of the kind that led to the creation of the Internet
and a new era of freedom of information. But we hate computer
crime. So don't email us about any crimes you may have committed
or may want to commit!
Want to join our email lists?
For our main list:
For Windows hackers:
For Unix/Linux lovers:
to the Guides to (mostly) Harmless Hacking --->>