[VIM] vendor coordination denied on account of "stupidity"

ascii ascii at katamail.com
Sat Sep 8 01:57:54 UTC 2007

Steven M. Christey wrote:
> This thread is for an older bug report that Luigi had made, and
> features the usual vendor/customer reactions to first disclosures.
> Buried in the discussion is the vendor's claim that Luigi gave a hard
> 2-week deadline and released earlier than that deadline.  I don't know
> if this is true, and if so, whether it's a common practice with Luigi,
> but I don't recall seeing these kinds of critiques leveled against him
> in the past.
> For added simultaneous humor and depression, the vendor also calls him
> a "script kiddie".

I don't know him directly but:

Luigi (http://aluigi.altervista.org/) is a talented researcher, he focus
on games probably to downplay the drama of the security industry.

This is just my guess but probably instead finding real vulnerabilities
in real (and somehow boring) applications he prefers to find real
vulnerabilities in multiplayer online games.

This sounds like the classic "vendor is a bricks wall" situation that
happened at last once at every security researcher.

Surely responsible disclosure makes you 100% unattackable from all the
points of view (moral, etc) but i don't see a big problem to put
some "fun" also in public advisories, as long as the vulnerability is
real, details correct and the advisory written in acceptable mixedcase
or lowercase : )

For the coordination denied part an extreme case is Kornbrust vs
Oracle. Are you willing to wait 2 years before releasing a finding? Do
you feel like you are not on they pay roll and they don't deserve such
treatment? This stands to you.

Anyway funny and yes: Luigi is a legit researcher that doesn't release
fake vulns and follow responsible disclosure when applicable. Damn, he
has binary patched many of the vulns he found in unmaintained software
(http://aluigi.altervista.org/patches.htm). Who does that?!

Francesco `ascii` Ongaro

More information about the VIM mailing list