lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri Jul 29 12:09:31 2005
From: grisu at guru.at (Christoph Gruber)
Subject: Our Industry Is Seriously Ethics Impaired

Am Donnerstag, 28. Juli 2005 01:34 schrieb Williams, James K:

> Yes, there is value in sharing it first with the paying
> customers, but there is also great value in eventually disclosing
> it to the public.  Public disclosure == advertising, for both
> the vuln buyer and the vuln discoverer.  I've found that
> commercial entities who deal in 3rd party vulnerabilities usually
> want to share with the public after a few weeks/months.
> Commercial entities who sell vuln audit/scanner/pen-test software
> usually don't want to share all of their exploit code or
> vulnerability information though.  They want to share just enough
> to get people interested in their products/services.

The only workaround for that problem ist to pay the 0day-finder on a 
daily/monthly basis, so he will get 5000[add as much zeros here, as you want] 
USD for every month, the vulnerability ist not fixed.
That will gain enough pain to the industry.

-- 
Grisu
2B OR (NOT (2B)) = FF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ