lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Jan 2007 14:37:52 -0500
From: Simon Smith <simon@...soft.com>
To: Blue Boar <BlueBoar@...evco.com>,
	"K F (lists)" <kf_lists@...italmunition.com>
Cc: Untitled <full-disclosure@...ts.grok.org.uk>,
	<bugtraq@...urityfocus.com>
Subject: Re: [Full-disclosure] iDefense Q-1 2007 Challenge

Blue Boar, 
    Simply put, and with all due respect, you're wrong. Furthermore I don't
appreciate you directly or indirectly suggesting that these exploits are
being sold on the black market, that will never happen on my watch, ever!

    More importantly, the company that I am working with is no different
than iDefense. In fact, they both sell their exploits and harvested research
to the same people. The only real difference is in the amount of money that
the researcher realizes when the transactions are complete. This difference
is a direct result of low corporate overhead.

    Lastly, all transactions require that the researcher engage the company
that I work with in a tight contract. This contract ensures that both
parties are legitimate and also protects both parties. They don't do that on
the black market do they?

    If anyone is interested in learning more about this, you know where to
find me. ;]

    
    

  
IDefense is reselling these exploits to the same third parties as the
business that I work for, or at least I assume that they are. Both iDefense
and our buyers use the exact same list of software targets.


On 1/16/07 1:35 PM, "Blue Boar" <BlueBoar@...evco.com> wrote:

> K F (lists) wrote:
>> We all know black hats are selling these sploits for <=$25k so why
>> should the legit folks settle for anything less? As an example the guys
>> at MOAB kicked around selling a Quicktime bug to iDefense but in the end
>> we decided it was not worth it due to low pay...
>> 
>> Low Pay == Not getting disclosed via iDefense....
> 
> Maybe that's all they are worth to iDefense, since they aren't
> monetizing them in the same way blackhats are.
> 
> Maybe for some people if they were going to just give them to Microsoft
> anyway, a few thousand bucks is worth it.
> 
> Me, for example, if I were capable of of finding such vulns, I wouldn't
> sell them to the guys writing the drive-by spyware installers. I might
> sell it to iDefense or Tippingpoint, though.
> 
> BB
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists