| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun Jul 10 10:45:00 2005 From: seth at tautology.org (Seth Alan Woolley) Subject: Multiple Vulnerabilities in Saeven.net's WhoisCart software. On Fri, Jul 08, 2005 at 03:36:15AM -0400, S. Alexandre M. Lemaire wrote: > Unfortunately we cannot honor it as is, since you provide no basis, or proof > for what you suggest. Further, the grounds on which you present this > opportunistic proposal are legally unsound; He appeared to be offering you a service fee for private disclosure. That's not a threat of public disclosure if you don't pay, and hence it is not extortion/blackmail. If you want to strike up a contract with him including an NDA, that's your move, not his. There's a difference between an actual crime and the belief that you are in a situation that could lead to your easily being a victim of said crime. Moreover, the rates were not out of line with a regular audit. It's like some guy came up to you and said I'll keep this photo of you with somebody other than your wife secret for the cost of the photograph and the time he spent. Or is the crime that he's keeping your own flaws secret from even you? Personally, I find announcing things publicly at the same time of contacting the vendor a much safer move, legally. As well, it is truly in the name of full-disclosure. If you want to censor his post, too, I would suggest you reveal all the emails between you and him regarding particulars. (If I were Vic, too, I would start digitally signing every mail I sent out to prevent forgery.) I'm experienced enough never to trust a vendor who is willing to do anything they can to prevent their vulns being published. At this point I'm simply wondering why the hell he would ask for half later after you've proven the vuln exists on your own. That sounds like he was only after $250. If he was lying for nothing, that's not just stupid, it's fraud, too. Things just don't add up. More likely is that you're doing deceptive damage control. Ask yourself which makes more sense. Nice try -- though I'm unsure if anybody even believes you here. We should thank Secunia for not giving into the pressure from vendors who disagree with full-disclosure, such as yourself. Seth -- Key id 00BA3AF3 = 8BE0 A72E A47E A92A 0737 F2FF 7A3F 6D3C 00BA 3AF3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050710/3f7386de/attachment.bin
Powered by blists - more mailing lists