Full Disclosure mailing list archives

Re: EXPLOITS FOR SALE (AUCTION SITE)

From: "jt5944-27a" <jt5944 () hushmail com>
Date: Sun, 08 Jul 2007 21:48:39 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 08 Jul 2007 19:27:58 -0600 George Ou
<george_ou () lanarchitect net> wrote:

Michal,

I completely agree with you about the ethics of
selling exploits to the black-market.  However,
there needs to be a reasonable alternative to
working for a "thank you" from the vendor.  Very
knowledgeable people who spend their valuable
time tracking down bugs deserve to be able to
make a living and they deserve to get paid.  If
there were a reasonable finder's fee paid by the
vendor, then a lot of conscionable researchers
will go the legitimate route even if they can
make more money selling it to the black-market.

George


thank you? okay - thank you for creating this wonderful software
that we use. thank you for listening to our defect requests and
thank you for addressing them in a meaningful time frame. but thank
you for finding bugs? are you on drugs?

they didnt ask you to look for defects. this sounds like those
people who paint house numbers on your curb and then want to be
paid even through you never said to paint the numbers. or those
windshield washers who want you to pay them for smearing your
window when you didnt ask for it. the only people who should be
paid to find vulnerabilities are the people asked to find
vulnerabilities.

should we pay burglars for breaking into our homes? and what about
open source projects? should nonprofit groups be forced to pay for
defects that they never asked people to look for? if they dont pay
then should we stop looking?

companies that pay for exploits are honest about it. zdi and vcp
let their customers know about risks before the rest of the world.
the bounty comes from their customer registration fees. customers
pay to hear about exploits first.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkaRr68ACgkQiDw0BWMaDTHTzQQAhkTq/SkybDeO0z2GYAQHYjOQaTOw
rkVGR6NP0JxiFSugNSw4mqW2CoaRr1LG0zsO56+qBkfcsxZW5Mp6nHpyT8YHkfDBhkb7
74C/hOCenGX5cXsTn1SKahBlSEsA+WSJ8CGcaFyloKvpMBMjpChzNM53UDmL5s1FDb6v
Jc3adNk=
=NKl+
-----END PGP SIGNATURE-----

--
Bills adding up?? Click here for free information on payday loans.
http://tagline.hushmail.com/fc/Ioyw6h4d80lDdADlxQMmdKKAkx3ixbvIa1bH0RAe2vkhQhjetVB1Be/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: EXPLOITS FOR SALE (AUCTION SITE), (continued)
- - - Re: EXPLOITS FOR SALE (AUCTION SITE) Dave Hull (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) ascii (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Dave Hull (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) J.A. Terranson (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) wac (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Michal Zalewski (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Peter Dawson (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) George Ou (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) scott (Jul 08)
    - Re: EXPLOITS FOR SALE (AUCTION SITE) Adam Muntner (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) jt5944-27a (Jul 08)
  - Re: EXPLOITS FOR SALE (AUCTION SITE) wac (Jul 09)