| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 09 Nov 2007 15:28:34 -0500 From: "Joey Mengele" <joey.mengele@...hmail.com> To: <full-disclosure@...ts.grok.org.uk>,<simon@...soft.com> Subject: Re: Exploit Brokering This is hardly on topic and you do not have any unique credentials to validate your claims. Please refrain from writing off topic and baseless editorials in the future or risk moderation. Thanks. J On Fri, 09 Nov 2007 15:22:01 -0500 Simon Smith <simon@...soft.com> wrote: >[ This email is in response to all of the emails that I see with >people >trying to broker exploits by advertising them on full disclosure >and >other public mailing lists. ] > >SNOsoft has been legitimately and legally brokering exploits since >early >2000, and we're still doing it very successfully. As a matter of >policy >we will not ever purchase items from careless developers, and will >not >sell to careless buyers or non US based buyers... With exploit >brokering >comes great responsibility and liability. > >People posting emails in public forums in an attempt to sell >exploits is >not only careless and irresponsible, but is also a testament to >that >persons immaturity and lack of experience. Do they ever stop to >think >about the potential liability? What happens if they sell to a >hostile >foreign party, what could happen to them, etc...? > >I think that there is a legitimate market for Exploit Brokering >when it >is done properly (ethically and legally). I think that in that >market >the developers should adhere to strict rules and not cross certain >boundaries. I also think that the responsible and ethical >developers >should be paid fair value for their time, instead of a pathetic >maximum >of $5,000.00 for a high grade item. Think about it, the average QA >Engineer makes more money per bug than the higher talent security >researcher. There's something wrong with that. > >The solution to that problem is not to sell exploits to just >anyone in a >public forum. That introduces too much liability to the developer, >especially if the buyer is illegitimate or hostile. The solution >is to >work with legitimate established businesses in a confidential and >responsible manner. > >Unfortunately for those developers that are trying to sell >exploits in >public forum, their chances of working with legitimate businesses >are >gone. No way will any of the legitimate Exploit Brokers ever >purchase an >item from an irresponsible developer. Its just a matter of time >till >laws get passed and they end up getting thrown in jail for selling >weaponized exploits to the wrong people. > >-- > >- simon > >---------------------- >http://www.snosoft.com -- Click to find moving companies, movers, van lines, and auto transport services. Low prices. http://tagline.hushmail.com/fc/Ioyw6h4epKaveFJJVmjBsU28T2AQSuvoJt5Pl48nl1r8rDmwbNOLPK/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists