lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Jan 2007 14:02:27 -0500
From: "K F (lists)" <kf_lists@...italmunition.com>
To: Blue Boar <BlueBoar@...evco.com>
Cc: Untitled <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] iDefense Q-1 2007 Challenge

This is very true... and in some cases rather than do either you chose 
to sit on the bug. Its almost a cache 22... some folks invest time 
upfront putting work into various vulnerabilities and have no way to get 
back that investment. That in essence amounts to free QA for vendor X,Y 
or Z and nothing for the researcher. In efforts to offset some of those 
costs those same folks often look to sell a bug or two here and there 
rather than instantly give them to the vendor. Unfortunately the current 
public options pay very little cash and its almost not worth selling the 
bugs in some instances. 

I sat on the Veritas bug that was used as 3com / ZDI's first release for 
over a year at the very least... quite a bit of time was put into 
tooling that bug into a workable exploit / proof of concept. The bug was 
offered to iDefense well before ZDI even existed but their offer hardly 
covered the hourly rate of the individuals that worked to make it into a 
valid exploitable issue. I do not recall the exact price but I think 
there was a $2k cap per bug at that time. Rather than sell it so cheap 
we just sat on it...

The vendor had been very non responsive to previous security requests so 
there was no real incentive to report it to them either. Eventually ZDI 
came along and we pushed the bug to them for quite a bit more than the 
iDefense offer. Even though 3com pays very well, after splitting a 
payout between 2 researchers that had to pay uncle sam via 1099 it often 
seems like a waste of time.

I do not know the going rate for a years worth of iDefense Corp updates 
or a years worth of support for ZDI's IDS but I would have to expect 
that these companies are profiting far more than the average researcher 
that submits to them. How about the free QA that the vendors get... how 
much is it per license for some of these products, can't they 
collaborate with folks like ZDI or iDefense to get some better 
incentives going ?  At this point ... like I said its almost not worth 
selling to these sorts of companies.... uncle sam is a friggin hound 
over 1099 money.

-KF
>
> Me, for example, if I were capable of of finding such vulns, I wouldn't
> sell them to the guys writing the drive-by spyware installers. I might
> sell it to iDefense or Tippingpoint, though.
>
> 					BB
>
>   

Powered by blists - more mailing lists