Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple Vulnerabilities in Saeven.net's WhoisCart software.

From: Seth Alan Woolley <seth () tautology org>
Date: Sun, 10 Jul 2005 02:45:02 -0700
On Fri, Jul 08, 2005 at 03:36:15AM -0400, S. Alexandre M. Lemaire wrote:

Unfortunately we cannot honor it as is, since you provide no basis, or proof
for what you suggest.  Further, the grounds on which you present this
opportunistic proposal are legally unsound;


He appeared to be offering you a service fee for private disclosure.  
That's not a threat of public disclosure if you don't pay, and hence it 
is not extortion/blackmail.

If you want to strike up a contract with him including an NDA, that's 
your move, not his.

There's a difference between an actual crime and the belief that you are 
in a situation that could lead to your easily being a victim of said 
crime.

Moreover, the rates were not out of line with a regular audit.  It's 
like some guy came up to you and said I'll keep this photo of you with 
somebody other than your wife secret for the cost of the photograph and 
the time he spent.  Or is the crime that he's keeping your own flaws 
secret from even you?

Personally, I find announcing things publicly at the same time of 
contacting the vendor a much safer move, legally.  As well, it is truly 
in the name of full-disclosure.  If you want to censor his post, too, I 
would suggest you reveal all the emails between you and him regarding 
particulars.  (If I were Vic, too, I would start digitally signing every 
mail I sent out to prevent forgery.)  I'm experienced enough never to 
trust a vendor who is willing to do anything they can to prevent their 
vulns being published.  At this point I'm simply wondering why the hell 
he would ask for half later after you've proven the vuln exists on your 
own.  That sounds like he was only after $250.  If he was lying for 
nothing, that's not just stupid, it's fraud, too.  Things just don't add 
up.  More likely is that you're doing deceptive damage control.  Ask 
yourself which makes more sense.

Nice try -- though I'm unsure if anybody even believes you here.  We 
should thank Secunia for not giving into the pressure from vendors who 
disagree with full-disclosure, such as yourself.

Seth

-- 
Key id 00BA3AF3 = 8BE0 A72E A47E A92A 0737  F2FF 7A3F 6D3C 00BA 3AF3

Attachment: _bin
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: