lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7B69C567C46F0D49A2CB66F66130F3C4013D2E03@BUF-EXA.ctg.com>
Date: Mon, 21 Jul 2003 09:49:58 -0400
From: "Martin Walker" <martin.walker@....com>
To: "Jay D. Dyson" <jdyson@...achery.net>,
	"Bugtraq" <bugtraq@...urityfocus.com>
Subject: RE: Disclosure-for-pay?


NOTE: that the individual is not saying "Pay me or I'll tell everyone
about it".  He's just saying "Pay me or I WON'T tell you about it".
There is a subtle but critical difference.  Your example is incorrect
from that standpoint.

Personally I don't think it is very good business, but it is not as
damning as many people are screaming about.  In fact, the most unethical
part is the "provide future services at no cost".

-----Original Message-----
From: Jay D. Dyson [mailto:jdyson@...achery.net] 
Sent: Wednesday, July 16, 2003 6:22 PM
To: Bugtraq
Subject: Re: Disclosure-for-pay?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 16 Jul 2003, Talley, Brooks wrote:

> My company recently received a communication from someone purporting 
> to know of a security vulnerability in our web application. The 
> individual stated that they would sign an NDA and report the details 
> of the vulnerability to us if we paid his "consulting fee" and 
> provided future services to him at no cost.

	Call me unruly, but that sounds like extortion to me.  Indeed,
it's all too akin to someone knocking on your door and claiming they've
found a way to steal your car...but if you'll give them free rides
around town, they'll keep it quiet.

> Is that kind of demand for payment for reporting a vulnerability at 
> all the norm?

	No, this is _not_ the norm.  If anything, it's unethical.  In
some circles, it's considered illegal.  There have been a few people
who've been pinched by law enforcement for such "offers."

	Bottom line: you didn't hire this individual to audit your
applications, so he's out of line asking for compensation.

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.
>====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@...achery.net -----<) |    =
|-'
  `--' `--'  `Red meat isn't bad for you, fuzzy green meat is.'
`------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE/FdAcNlg1oZSC9mkRApDZAJ9+HllVA5MHP/3kaOg9n7aXe2CQPgCePlun
y0c2+VQ9klvbfd5yMs90nvA=
=pJOm
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ