Re: Announcing the Zero Day Initiative

[Etaoin Shrdlu <shrdlu () deaddrop org>]

David Endler wrote:
> Hey Halvar,
>
> By our own standards, 3Com cannot use any vulnerability information or
> report it to anyone until it is officially purchased.  We have more to lose
> from a trust and legal standpoint:
>
> http://www.zerodayinitiative.com/benefits.html
>
> "If an offer is not made or an offer is made but not accepted by the
> researcher, the vulnerability information will remain the property of
> the researcher and will not be used in the Zero Day Initiative (ZDI) program."

Uh-huh. You are neither a priest nor a doctor. I can see the lawsuits now
(assuming you actually followed the process above). If you know of a
vulnerability, and yet do not inform the vendor, all sorts of possibilities
open up. In this day and age of a vanishing constitution, where the Patriot
Act is the law of the land, I cannot see how you expect as to be so naive
as to think that you will not take advantage of anyone so stupid as to
believe you.

Yes, I know that there's already someone out there paying for vulns; I
don't trust them either.

--
It is by caffeine alone I set my mind in motion.
It is by the beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine only I set my mind in motion.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave