lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3da3d8310605051842s72770ab5oda9a43a5fef551a7@mail.gmail.com>
Date: Sat May  6 02:42:06 2006
From: degeneracypressure at gmail.com (Eliah Kagan)
Subject: IE7 Information Disclosure - For sale

> Based on all of the "feedback" on this cess-pool called a mailing
> list.

Did you expect that subscribers to the FULL DISCLOSURE mailing list
would support your plan to make money off of withholding disclosure?

> I am now offering my vulnerabilities for sale only to those
> that

Wait...what about all the people you said had already bid? Are you
just going to screw them over?

> a.) will not report it to the vendor and b.) will only use it
> for their own profit via spyware installations and spambots.
>
> I will discount the price to anyone using it in the above manner

Ah, you aren't actually going to offer your vulns only to such people
(as you said you would) -- rather, you will offer a discount only to
such people.

How do you intend to enforce the terms of your discount deal? Are you
going to require the buyer to sign a nondisclosure agreement to get
the discount?

I'm not any more sure that you're really offering this discount than I
am that you've discovered a vulnerability, but it would be interesting
to follow the court proceedings should you be indicted along with the
spyware author or spammer. Although you don't really have to sell
it--you're already soliciting people to engage in criminal behavior.

> to target so called security professionals subscribed to this list.

So, let me get this straight...you want to prove that these "so-called
security professionals" are lamers by making it known that:

(1) You have developed a vulnerability and intend to sell it to a
spyware author or spammer.
(2) The "so called security professionals" oppose you.

-Eliah

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ