lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 22 Jul 2003 16:09:02 +0200
From: Rikhardur.EGILSSON@...d.org
To: bugtraq@...urityfocus.com
Subject: RE: Disclosure-for-pay?



This is apparenty what happened with Serge Humpich, France's famous engineer
(At least in France :-), a true hacker (in the original meaning of the
word).  He was passionate about the French credid card system and how it
worked, and spent four years studying the system and even bought one teller
machine (legally).

In the end he had spend a few hundred thousand dollars on equipment and
countless hours studying the system.    And then he managed to brake the
private key of the banks ..

He went to the banks and proposed to sell them the information both of how
to break and repair the system.

The banks didn't belive his story at first and demanded proof..  So he
bought a few metro tickets from a vending machine and went back with the
slip from the vending machine and the metro tickets.

Then the banks went ballistic and started threatening him with legal actions
and god knows what ...

Word got out about what was heppening and a lot of people became *very*
interested ..

Apparently, somebody managed to repeat the factorization and that somebody
then posted the parts to the Internet.

The "Yescard" was born.


...

Six years later and the Yescards still exist, less of a problem, yes, but
still a problem ...

Personally I don't see any difference in offering you information about how
someone can break into your house and how you can fix that, or a CD with my
song on it, both require special knowledge to make and either you accept the
buy or not ....

It's like a freelance reporter who discovers a story, but instead of seling
it to everybody, you only offer it to one company..





-----Original Message-----
From: Talley, Brooks [mailto:brooks@...k.com] 
Sent: 16 July, 2003 11:02 PM
To: bugtraq@...urityfocus.com
Subject: Disclosure-for-pay?


My company recently received a communication from someone purporting to know
of a security vulnerability in our web application. The individual stated
that they would sign an NDA and report the details of the vulnerability to
us if we paid his "consulting fee" and provided future services to him at no
cost.

Am I crazy here, or does this sound not good in several different ways?

Is that kind of demand for payment for reporting a vulnerability at all the
norm?

I'd love any advice here.

Thanks
-Brooks



Powered by blists - more mailing lists