Full Disclosure mailing list archives
Re: EXPLOITS FOR SALE (AUCTION SITE)
From: "George Ou" <george_ou () lanarchitect net>
Date: Sun, 8 Jul 2007 18:27:58 -0700
Michal, I completely agree with you about the ethics of selling exploits to the black-market. However, there needs to be a reasonable alternative to working for a "thank you" from the vendor. Very knowledgeable people who spend their valuable time tracking down bugs deserve to be able to make a living and they deserve to get paid. If there were a reasonable finder's fee paid by the vendor, then a lot of conscionable researchers will go the legitimate route even if they can make more money selling it to the black-market. George -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Michal Zalewski Sent: Sunday, July 08, 2007 11:55 AM To: wac Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] EXPLOITS FOR SALE (AUCTION SITE) On Sun, 8 Jul 2007, wac wrote:
Is more noble to reward hard to do work that also requires a lot of knowledge which sometimes people does even takes time to even say "thank you".
Vulnerability research is good. Getting paid for research is good. Holding vendors accountable is good. Yet, secretly trading intellectual property, keeping it under wraps for months or years to maximize buyer's ROI, and not giving a second thought as to why would a shady foreigner pay $50,000 for an _exploit_ they have no legitimate use for, pretty much stands against *all* the core values of the hacker culture - a culture to which this field of research owes quite a bit. Yeah, it can be done. It might be legal by itself, too - though I'm sure the moment your code is used for malicious purposes (or simply against your government), if it can be shown you willfully ignored the clearly dubious nature of the transaction, a charge of being accessory to crime won't be far off. Still, legal or not, it's not exactly something to be too proud of on this list. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: EXPLOITS FOR SALE (AUCTION SITE), (continued)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Nick FitzGerald (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Michal Zalewski (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) crazy frog crazy frog (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Dave Hull (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) ascii (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Dave Hull (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) J.A. Terranson (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) wac (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Michal Zalewski (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Peter Dawson (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) George Ou (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) scott (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Adam Muntner (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) wac (Jul 09)