pseudo-flaw.net

Finding a new vulnerability in widely deployed product is exciting. Very exciting. And a natural first instinct is to want to share that information and get credit for it. So, why not just cobble together some sketchy details and post it to Full-Disclosure, milw0rm or your web log? What could possibly go wrong?

Well, a couple of things actually.

First, someone else may have already discovered the issue and posted about it. A best practice is to search the archives for bugs reported against the product and see if any cover what you've found. Do a Google search with some relevant keywords. Avoid reporting about a older version when the most current resolves the issue.

Second, what you found may not be that important. Not every browser quirk, visual glitch or access violation needs to be broadcast to the entire world. Doing so is a waste of everyone's time. Love them or hate them, Microsoft's 10 Immutable Laws of Security are spot on when it comes to this. So, if your vulnerability falls in that gray area, what should you do?

The best possible approach is develop an exploit that does something interesting. Create a demonstration that shows how the problem can actually be abused. I can't understand the amount of the time and energy people expend complaining that a vulnerability is or is not exploitable. Release a demonstration and there won't be anything to argue about.

I only bring this up because the trend of bogus and/or worthless bug reports continues to grow. And those doing it for the fame and the glory just end up appearing like idiotic newbies. Which I would suppose is the exact opposite of what they wanted.