Re: IE7 Information Disclosure - For sale

["Eliah Kagan" <degeneracypressure () gmail com>]

> Based on all of the "feedback" on this cess-pool called a mailing
> list.

Did you expect that subscribers to the FULL DISCLOSURE mailing list
would support your plan to make money off of withholding disclosure?

> I am now offering my vulnerabilities for sale only to those
> that

Wait...what about all the people you said had already bid? Are you
just going to screw them over?

> a.) will not report it to the vendor and b.) will only use it
> for their own profit via spyware installations and spambots.
>
> I will discount the price to anyone using it in the above manner

Ah, you aren't actually going to offer your vulns only to such people
(as you said you would) -- rather, you will offer a discount only to
such people.

How do you intend to enforce the terms of your discount deal? Are you
going to require the buyer to sign a nondisclosure agreement to get
the discount?

I'm not any more sure that you're really offering this discount than I
am that you've discovered a vulnerability, but it would be interesting
to follow the court proceedings should you be indicted along with the
spyware author or spammer. Although you don't really have to sell
it--you're already soliciting people to engage in criminal behavior.

> to target so called security professionals subscribed to this list.

So, let me get this straight...you want to prove that these "so-called
security professionals" are lamers by making it known that:

(1) You have developed a vulnerability and intend to sell it to a
spyware author or spammer.
(2) The "so called security professionals" oppose you.

-Eliah

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/