Full Disclosure mailing list archives
Re: iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE
From: Simon Smith <simon () snosoft com>
Date: Fri, 19 Jan 2007 01:22:16 -0500
Roman and List, Let me address this issue once and for all, because the "issue" is really quite simple. I am offering security researchers the ability to have their exploits legally purchased for a price that is higher than the standard prices offered by the majority of third parties. The researchers who decide to participate will be sent a legally binding contract. This contract will specifically protect the researcher and buyer and clearly spell out the terms and conditions of business. And as for Roman's argument, I can assure him (and all of you) that the exploit code will be put to ethical, legitimate and legal use. The only people that will be using the exploit code are established U.S. based public or private sector corporations/parties. Other than that I am not going to get into a debate about it. Lastly, it amazes me that so many people complain about the prices that they sell their exploits for, then, when someone like me comes around to try to give them fair pricing in a legal way, they'd rather complain about that than take up the opportunity. This reminds me of old women who are always trying to find a reason to complain. Nothing more than a bunch of grumpy old women. ;] On 1/18/07 7:53 PM, "Roman Medina-Heigl Hernandez" <roman () rs-labs com> wrote:
Then you cannot assure that your buyer will make an ethical use of the exploit. So what's the real difference against selling it to another people (known or "unknown", where "unknown" could be black-hats, script-kiddies or whoever making the higher bid)? The receipt? :) I mean, if I (as a researcher) don't mind what the exploit will be used for, I'd simply look for the higher bidder (I guess). And you didn't really answer my former two questions... Please, could you provide some specific examples of typical ways to justify ROI? Which is the typical profile/s of enterprise/s buying exploits? (without naming particular enterprises, of course). Simon Smith escribió:Oh, About your ROI question, that varies per buyer. I am not usually told about why a buyer needs something as that's none of my business. On 1/18/07 4:22 AM, "Roman Medina-Heigl Hernandez" <roman () rs-labs com> wrote:Simon Smith escribió:Amen! KF is 100% on the money. I can arrange the legitimate purchase of most working exploits for significantly more money than iDefense, In some cases over $75,000.00 per purchase. The company that I am working with has a relationship with a legitimate buyer, all transactions are legal. If you're<naive> I was wondering which kind of (legal) enterprises/organizations would pay $75000 for a simple (or not so simple) exploit. - governmental organizations (defense? DoD? FBI? ...) - firms offering high-profiled pen-testing services? - ... ? What about the ROI for such investment? </naive> Regards, -Roman _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- iDefense Q-1 2007 Challenge contributor (Jan 10)
- Re: iDefense Q-1 2007 Challenge Simon Smith (Jan 16)
- Re: iDefense Q-1 2007 Challenge K F (lists) (Jan 16)
- Re: iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE Simon Smith (Jan 16)
- Re: iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE Roman Medina-Heigl Hernandez (Jan 18)
- Re: iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE Simon Smith (Jan 18)
- Re: iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE Simon Smith (Jan 18)
- Re: iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE Simon Smith (Jan 18)
- Re: iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE Roman Medina-Heigl Hernandez (Jan 18)
- Re: iDefense Q-1 2007 Challenge -I WILL BUY FOR MORE Simon Smith (Jan 18)
- Re: iDefense Q-1 2007 Challenge K F (lists) (Jan 16)
- Re: iDefense Q-1 2007 Challenge Simon Smith (Jan 16)
- Re: iDefense Q-1 2007 Challenge Blue Boar (Jan 16)
- Re: iDefense Q-1 2007 Challenge K F (lists) (Jan 16)
- Re: iDefense Q-1 2007 Challenge Simon Smith (Jan 16)
- Re: iDefense Q-1 2007 Challenge Blue Boar (Jan 16)
- Re: iDefense Q-1 2007 Challenge Simon Smith (Jan 16)
- Re: iDefense Q-1 2007 Challenge Tim Newsham (Jan 17)
- Re: [_SUSPEKT] - Re: iDefense Q-1 2007 Challenge - Bayesian Filter detected spam Simon Smith (Jan 18)
- Re: iDefense Q-1 2007 Challenge ad () heapoverflow com (Jan 16)
- Re: iDefense Q-1 2007 Challenge K F (lists) (Jan 16)
- Re: iDefense Q-1 2007 Challenge Mark Sec (Jan 16)