Re: EXPLOITS FOR SALE (AUCTION SITE)

[scott <redhowlingwolves () bellsouth net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree on most of these points.It seems that researchers don't get back

what they put in.


At the same time,you can't expect to get rich off finding exploits,either.

The security industry,as a whole,needs to get on the bandwagon of how
far the envelope needs to be pushed in this direction.
Who,what,where and how, the found vulnerabilities are reported  needs to
be defined in some definite way.

ROFL,I can't believe I said that with a straight face!!?

But seriously.I would not sell any vuln I have found--as far as looking
to make it a full time job--to someone else,simply because they might
make a name for themselves using my work.

Anonymous works well for me,at this time anyway.


Regards,
  Scott
George Ou wrote:
> Michal,
>
> I completely agree with you about the ethics of selling exploits to the
> black-market.  However, there needs to be a reasonable alternative to
> working for a "thank you" from the vendor.  Very knowledgeable people who
> spend their valuable time tracking down bugs deserve to be able to make a
> living and they deserve to get paid.  If there were a reasonable finder's
> fee paid by the vendor, then a lot of conscionable researchers will go the
> legitimate route even if they can make more money selling it to the
> black-market.
>
> George
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Michal
> Zalewski
> Sent: Sunday, July 08, 2007 11:55 AM
> To: wac
> Cc: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] EXPLOITS FOR SALE (AUCTION SITE)
>
> On Sun, 8 Jul 2007, wac wrote:
>
> > Is more noble to reward hard to do work that also requires a lot of
> > knowledge which sometimes people does even takes time to even say "thank
> > you".
>
> Vulnerability research is good. Getting paid for research is good. Holding
> vendors accountable is good.
>
> Yet, secretly trading intellectual property, keeping it under wraps for
> months or years to maximize buyer's ROI, and not giving a second thought
> as to why would a shady foreigner pay $50,000 for an _exploit_ they have
> no legitimate use for, pretty much stands against *all* the core values of
> the hacker culture - a culture to which this field of research owes quite
> a bit.
>
> Yeah, it can be done. It might be legal by itself, too - though I'm sure
> the moment your code is used for malicious purposes (or simply against
> your government), if it can be shown you willfully ignored the clearly
> dubious nature of the transaction, a charge of being accessory to crime
> won't be far off.
>
> Still, legal or not, it's not exactly something to be too proud of on this
> list.
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGka0jelSgjADJQKsRAjXSAJ9jygmvOGPgjXLNBwK/ri7ZNbKmqgCfV5+2
SYcxLxgjn0sj4k4xhFQ5sFs=
=UfBt
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/