What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

GUIDE to (mostly) Harmless Hacking

More on Shortcuts to Discovering New Ways to Break into Computers

___________________________________________________________
*** What to Do with Your Discovery
___________________________________________________________

The most respectable thing you can do is first contact the organization or individual responsible for the program that your exploit attacks. Let them provide a fix for the exploit before you brag about your discovery (if, in fact, you decide to brag). If you can't find out how to contact them, post a request for contact information to the Full Disclosure email list (https://lists.grok.org.uk/mailman/listinfo/full-disclosure), and someone (more likely several dozen people) will email you the contact information. If you brag after the fix is released, some people won't believe you discovered it first, and some people will hate you for bragging. If you keep quiet, you still can get credit by arranging for whomever you contacted about your exploit to say good things about you when you are looking for a job or running your own company.

In addition, it is a totally responsible choice to report your exploit to a nonprofit or governmental body that tracks these problems, for example Carnegie Mellon University's Computer Emergency Response Team, http://www.cert.org/. You can do this at the same time you contact the organization or individual responsible for the vulnerable program, or let CERT make that contact for you. By reporting your discovery to one of these organizations, you have a good chance of making brilliant and influential friends who will aid you in a career in computer security.

Alternatively, you can sell your exploit to a legitimate computer security company or organization such as the Zero Day Initiative: http://www.zerodayinitiative.com/. However, if word ever gets out that you have been selling exploits, even to respectable oraganizations, there are some in the information technology industry (for example, Internet Security Systems, http://www.iss.net) who will hate you for it. Personally, I see nothing wrong with this, but because this is a controversial activity, consequently it can hurt your career.

Now for the things you can do with your exploits that may seem like fun or might promise to make lots and lots of money, but are highly likely to create problems for you.

Post your discovery to the Bugtraq email list (http://www.securityfocus.com). If you wait to post until after the organization responsible for the program with the vulnerability has provided a fix, you will be sort of a hero. However, if you don't wait, large numbers of people will hate you for it, and most of the people who will love you will be noxious script kiddies. Note that many people who discover computer security vulnerabilities never, ever post to Bugtraq, preferring to keep quiet except within narrow professional circles (by only notifying a CERT, their employer, or a vendor). This is because posting under any circumstances is opposed by some in the profession, just as selling exploits even to respectable organizations is opposed by some.

Give your super duper secret 0-day sploit to two or three of your closest friends. Trouble with this is that a friend might take credit for the discovery by posting it to Bugtraq, or sell it to criminals, or use it to commit crime, or give it to several of his or her best friends, any one of whom might…. And so on.

Try to sell your exploit to the organization or individual responsible for the victim program. This has the disadvantage that they will hate you and accuse you of extortion.

Sell your exploit to a criminal. He/she/they may promise to pay more. However, criminals tend to be, ahem, criminals. You might end up feeding the fishes instead of collecting the money. If the criminals don't get you, the authorities will. Think Club Fed.

Use your exploit to commit your own crimes. See http://happyhacker.org/crime/busted.shtml to read about what THAT can lead to!

If you wish to delve more deeply into the issues of whether, how and where to disclose your discoveries, you may wish to read an excellent, excruciatingly detailed and densely academic paper on the topic of security disclosures: "A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government," by Peter P. Swire of the Moritz College of Law of the Ohio State University. Enjoy.
___________________________________________________________
© 2013, Carolyn Meinel. I give permission for you to copy, email, or post this Guide to your website as long as you leave this notice at the end.

Where are those back issues of GTMHHs? Check out the official Happy Hacker Web page at http://www.happyhacker.org.

We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you may have committed or may want to commit!

Want to join our email lists?

For our main list:
happyhacker-subscribe@yahoogroups.com

For Windows hackers:
hhwindows-subscribe@yahoogroups.com

For Unix/Linux lovers:
hh-unix-subscribe@yahoogroups.com

Back to the Guides to (mostly) Harmless Hacking --->>   
Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

© 2013 Happy Hacker All rights reserved.