| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 09 Nov 2007 15:54:03 -0500 From: Simon Smith <simon@...soft.com> To: joey.mengele@...hmail.com Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Exploit Brokering Please forgive me... should I beg for mercy? ;] Joey Mengele wrote: > This is hardly on topic and you do not have any unique credentials > to validate your claims. Please refrain from writing off topic and > baseless editorials in the future or risk moderation. Thanks. > > J > > On Fri, 09 Nov 2007 15:22:01 -0500 Simon Smith <simon@...soft.com> > wrote: >> [ This email is in response to all of the emails that I see with >> people >> trying to broker exploits by advertising them on full disclosure >> and >> other public mailing lists. ] >> >> SNOsoft has been legitimately and legally brokering exploits since >> early >> 2000, and we're still doing it very successfully. As a matter of >> policy >> we will not ever purchase items from careless developers, and will >> not >> sell to careless buyers or non US based buyers... With exploit >> brokering >> comes great responsibility and liability. >> >> People posting emails in public forums in an attempt to sell >> exploits is >> not only careless and irresponsible, but is also a testament to >> that >> persons immaturity and lack of experience. Do they ever stop to >> think >> about the potential liability? What happens if they sell to a >> hostile >> foreign party, what could happen to them, etc...? >> >> I think that there is a legitimate market for Exploit Brokering >> when it >> is done properly (ethically and legally). I think that in that >> market >> the developers should adhere to strict rules and not cross certain >> boundaries. I also think that the responsible and ethical >> developers >> should be paid fair value for their time, instead of a pathetic >> maximum >> of $5,000.00 for a high grade item. Think about it, the average QA >> Engineer makes more money per bug than the higher talent security >> researcher. There's something wrong with that. >> >> The solution to that problem is not to sell exploits to just >> anyone in a >> public forum. That introduces too much liability to the developer, >> especially if the buyer is illegitimate or hostile. The solution >> is to >> work with legitimate established businesses in a confidential and >> responsible manner. >> >> Unfortunately for those developers that are trying to sell >> exploits in >> public forum, their chances of working with legitimate businesses >> are >> gone. No way will any of the legitimate Exploit Brokers ever >> purchase an >> item from an irresponsible developer. Its just a matter of time >> till >> laws get passed and they end up getting thrown in jail for selling >> weaponized exploits to the wrong people. >> >> -- >> >> - simon >> >> ---------------------- >> http://www.snosoft.com > > -- > Click for free info on marketing degrees and make up to $150K/ year > http://tagline.hushmail.com/fc/Ioyw6h4dDIrjbxctdTv0TSwcEUd8ohtJYd5yOv5FWQ7CcpXXXTOy6x/ > -- - simon ---------------------- http://www.snosoft.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists