Re: EXPLOITS FOR SALE (AUCTION SITE)

[wac <waldoalvarez00 () gmail com>]

On 7/8/07, Dave Hull <ireadit () gmail com> wrote:
> On 7/8/07, ascii <ascii () katamail com> wrote:
> >
> > Dave Hull wrote:
> > > Yep. This is nothing new (and nothing noble), there are at least a
> > > handful of web sites that will buy zero days.
> > >
> > > Maybe we should start zeBay.
> >
> > Because you are noble? Or to start something new?
> >
>
> That was a joke. I thought it was obvious.
>
> The vulnerability researchers that I know and respect have been practicing
> responsible full disclosure for years. They aren't in the business of
> finding vulnerabilities so they can sell them.


Maybe they don't need the money. I can bet you that there are more that need
it than those that doesn't.

Responsible full disclosure moves the software industry forward and helps us
> all.


Why not encourage research? Companies make a lot of money selling
soft/hard/systems or giving tech support for the very same broken thing. I
think that also non security related bug hunting should be encouraged. And
if it is sold to the biggest bidder then those companies will have to put
more in the research or pay the information or be responsible for their own
broken code and the result of letting that information to fall in wrong
hands by not buying it. Unpatched holes are being sold every day and nobody
knows. At least with an open market everybody can know what is around and
even take countermeasures. By not using the software/hardware/system for a
while for example. You call security what we have today? Is sooooo distant.
Companies make sometimes millions and usually do not want to pay a little
misery for things. Just sell broken things and then wait until somebody
takes care to find broken stuff. They simply don't care about that. Only
take action after something is found and there is public pressure. And
sometimes not even knowing the information. Don't you think it would be a
good idea to push them a little to do something for they very own clients?
Hey that means you too.

I believe that's more noble than selling them to the highest bidder,


Is more noble to reward hard to do work that also requires a lot of
knowledge which sometimes people does even takes time to even say "thank
you".

but I understand some people have to put food on their families.


You are completely right. And not only food. Hardware and software can be
sometimes very expensive. Definitely is a kind of job that require
resources, just to save more somewhere else.

And don't worry about that website. It will never work being so close. A
market is where everybody can buy/sell. That's far from it.

Regards
Waldo

--
> ireadit () gmail com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/