lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <45B0168B.3090901@rs-labs.com>
Date: Fri, 19 Jan 2007 01:53:31 +0100
From: Roman Medina-Heigl Hernandez <roman@...labs.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: iDefense Q-1 2007 Challenge -I WILL BUY FOR
 MORE

Then you cannot assure that your buyer will make an ethical use of the
exploit. So what's the real difference against selling it to another people
(known or "unknown", where "unknown" could be black-hats, script-kiddies or
whoever making the higher bid)? The receipt? :) I mean, if I (as a
researcher) don't mind what the exploit will be used for, I'd simply look
for the higher bidder (I guess).

And you didn't really answer my former two questions... Please, could you
provide some specific examples of typical ways to justify ROI? Which is the
typical profile/s of enterprise/s buying exploits? (without naming
particular enterprises, of course).



Simon Smith escribió:
> Oh, 
>     About your ROI question, that varies per buyer. I am not usually told
> about why a buyer needs something as that's none of my business.
> 
> On 1/18/07 4:22 AM, "Roman Medina-Heigl Hernandez" <roman@...labs.com>
> wrote:
> 
>> Simon Smith escribió:
>>> Amen!
>>>     KF is 100% on the money. I can arrange the legitimate purchase of most
>>> working exploits for significantly more money than iDefense, In some cases
>>> over $75,000.00 per purchase. The company that I am working with has a
>>> relationship with a legitimate buyer, all transactions are legal. If you're
>> <naive>
>>
>> I was wondering which kind of (legal) enterprises/organizations would pay
>> $75000 for a simple (or not so simple) exploit.
>> - governmental organizations (defense? DoD? FBI? ...)
>> - firms offering high-profiled pen-testing services?
>> - ... ?
>>
>> What about the ROI for such investment?
>>
>> </naive>
>>
>> Regards,
>> -Roman
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 

-- 

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ