Full Disclosure mailing list archives

Re: EXPLOITS FOR SALE (AUCTION SITE)

From: "George Ou" <george_ou () lanarchitect net>
Date: Sun, 8 Jul 2007 18:27:58 -0700

Michal,

I completely agree with you about the ethics of selling exploits to the
black-market.  However, there needs to be a reasonable alternative to
working for a "thank you" from the vendor.  Very knowledgeable people who
spend their valuable time tracking down bugs deserve to be able to make a
living and they deserve to get paid.  If there were a reasonable finder's
fee paid by the vendor, then a lot of conscionable researchers will go the
legitimate route even if they can make more money selling it to the
black-market.

George
-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Michal
Zalewski
Sent: Sunday, July 08, 2007 11:55 AM
To: wac
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] EXPLOITS FOR SALE (AUCTION SITE)

On Sun, 8 Jul 2007, wac wrote:

Is more noble to reward hard to do work that also requires a lot of
knowledge which sometimes people does even takes time to even say "thank
you".


Vulnerability research is good. Getting paid for research is good. Holding
vendors accountable is good.

Yet, secretly trading intellectual property, keeping it under wraps for
months or years to maximize buyer's ROI, and not giving a second thought
as to why would a shady foreigner pay $50,000 for an _exploit_ they have
no legitimate use for, pretty much stands against *all* the core values of
the hacker culture - a culture to which this field of research owes quite
a bit.

Yeah, it can be done. It might be legal by itself, too - though I'm sure
the moment your code is used for malicious purposes (or simply against
your government), if it can be shown you willfully ignored the clearly
dubious nature of the transaction, a charge of being accessory to crime
won't be far off.

Still, legal or not, it's not exactly something to be too proud of on this
list.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: EXPLOITS FOR SALE (AUCTION SITE), (continued)
- - - Re: EXPLOITS FOR SALE (AUCTION SITE) Nick FitzGerald (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Michal Zalewski (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) crazy frog crazy frog (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Dave Hull (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) ascii (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Dave Hull (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) J.A. Terranson (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) wac (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Michal Zalewski (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Peter Dawson (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) George Ou (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) scott (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Adam Muntner (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) jt5944-27a (Jul 08)
  - Re: EXPLOITS FOR SALE (AUCTION SITE) wac (Jul 09)